Don't read "soft-deleted" profiles

Nothing is actually "soft-deleting" profiles yet, and this
is a first step toward migrating profiles to a new data
store.

.editorconfig

@@ -5,7 +5,7 @@ indent_size = 2
 indent_style = space
 insert_final_newline = true
 max_line_length = 120
-tab_width = 2
+tab_width = 8
 ij_continuation_indent_size = 4
 ij_formatter_off_tag = @formatter:off
 ij_formatter_on_tag = @formatter:on
@@ -34,18 +34,15 @@ ij_css_use_double_quotes = true
 ij_css_value_alignment = do_not_align
 
 [*.feature]
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_gherkin_keep_indents_on_empty_lines = false
 
 [*.gsp]
 indent_size = 4
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_gsp_keep_indents_on_empty_lines = false
 
 [*.haml]
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_haml_keep_indents_on_empty_lines = false
 
@@ -144,8 +141,8 @@ ij_java_for_brace_force = always
 ij_java_for_statement_new_line_after_left_paren = false
 ij_java_for_statement_right_paren_on_new_line = false
 ij_java_for_statement_wrap = normal
-ij_java_generate_final_locals = false
-ij_java_generate_final_parameters = false
+ij_java_generate_final_locals = true
+ij_java_generate_final_parameters = true
 ij_java_if_brace_force = always
 ij_java_imports_layout = $*,|,*
 ij_java_indent_case_from_switch = true
@@ -298,7 +295,6 @@ ij_java_wrap_first_method_in_call_chain = false
 ij_java_wrap_long_lines = false
 
 [*.less]
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_less_align_closing_brace_with_properties = false
 ij_less_blank_lines_around_nested_selector = 1
@@ -332,7 +328,6 @@ ij_protobuf_spaces_within_brackets = false
 
 [*.rs]
 indent_size = 4
-tab_width = 4
 ij_rust_align_multiline_chained_methods = false
 ij_rust_align_multiline_parameters = true
 ij_rust_align_multiline_parameters_in_calls = true
@@ -392,7 +387,6 @@ ij_scss_use_double_quotes = true
 ij_scss_value_alignment = 0
 
 [*.styl]
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_stylus_align_closing_brace_with_properties = false
 ij_stylus_blank_lines_around_nested_selector = 1
@@ -876,7 +870,6 @@ ij_coffeescript_var_declaration_wrap = normal
 
 [{*.dot,*.gv}]
 indent_size = 4
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_dot_keep_blank_lines_in_code = 2
 ij_dot_keep_indents_on_empty_lines = false
@@ -898,13 +891,11 @@ ij_rhtml_keep_indents_on_empty_lines = false
 
 [{*.ft,*.vm,*.vsl}]
 indent_size = 4
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_vtl_keep_indents_on_empty_lines = false
 
 [{*.gant,*.gradle,*.groovy,*.gson,*.gy}]
 indent_size = 4
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_groovy_align_group_field_declarations = false
 ij_groovy_align_multiline_array_initializer_expression = false
@@ -1111,7 +1102,6 @@ ij_ruby_spaces_within_braces = true
 
 [{*.gradle.kts,*.kt,*.kts,*.main.kts}]
 indent_size = 4
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_kotlin_align_in_columns_case_branch = false
 ij_kotlin_align_multiline_binary_operation = false
@@ -1206,7 +1196,6 @@ ij_json_spaces_within_brackets = false
 ij_json_wrap_long_lines = false
 
 [{*.hcl,*.nomad}]
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_hcl_array_wrapping = 2
 ij_hcl_keep_blank_lines_in_code = 2
@@ -1252,20 +1241,17 @@ ij_html_uniform_ident = false
 
 [{*.jsf,*.jsp,*.jspf,*.tag,*.tagf,*.xjsp}]
 indent_size = 4
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_jsp_jsp_prefer_comma_separated_import_list = false
 ij_jsp_keep_indents_on_empty_lines = false
 
 [{*.jspx,*.tagx}]
 indent_size = 4
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_jspx_keep_indents_on_empty_lines = false
 
 [{*.lua,*.lua.txt}]
 indent_size = 4
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_lua_align_consecutive_variable_declarations = false
 ij_lua_align_multiline_parameters = true
@@ -1280,7 +1266,6 @@ ij_lua_spaces_around_assignment_operators = true
 
 [{*.markdown,*.md}]
 indent_size = 4
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_markdown_force_one_space_after_blockquote_symbol = true
 ij_markdown_force_one_space_after_header_symbol = true
@@ -1294,9 +1279,6 @@ ij_markdown_min_lines_around_block_elements = 1
 ij_markdown_min_lines_around_header = 1
 ij_markdown_min_lines_between_paragraphs = 1
 
-[{*.mk,GNUmakefile,makefile}]
-tab_width = 4
-
 [{*.pb,*.textproto}]
 ij_prototext_keep_blank_lines_in_code = 2
 ij_prototext_keep_indents_on_empty_lines = false
@@ -1381,7 +1363,6 @@ ij_python_use_continuation_indent_for_collection_and_comprehensions = false
 ij_python_wrap_long_lines = false
 
 [{*.tf,*.tfvars}]
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_hcl-terraform_array_wrapping = 2
 ij_hcl-terraform_keep_blank_lines_in_code = 2
@@ -1399,7 +1380,6 @@ ij_hcl-terraform_wrap_long_lines = false
 
 [{*.toml,Cargo.lock,Gopkg.lock,Pipfile}]
 indent_size = 4
-tab_width = 4
 ij_continuation_indent_size = 8
 ij_toml_keep_indents_on_empty_lines = false
 

.github/FUNDING.yml

@@ -0,0 +1,4 @@
+# Copyright 2021 Signal Messenger, LLC
+# SPDX-License-Identifier: AGPL-3.0-only
+
+custom: https://signal.org/donate/

.github/workflows/test.yml

@@ -1,6 +1,6 @@
 name: Service CI
 
-on: [push, pull_request]
+on: [push]
 
 jobs:
   build:
@@ -9,8 +9,10 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Set up JDK 11
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@3bc31aaf88e8fc94dc1e632d48af61be5ca8721c
         with:
-          java-version: 11
+          distribution: 'temurin'
+          java-version: 17
+          cache: 'maven'
       - name: Build with Maven
-        run: mvn -e -B package
+        run: mvn -e -B verify

.gitignore

@@ -9,12 +9,20 @@ config/production.yml
 config/federated.yml
 config/staging.yml
 config/testing.yml
-service/config/production.yml
-service/config/federated.yml
-service/config/staging.yml
-service/config/testing.yml
+config/deploy.properties
+/service/config/production.yml
+/service/config/federated.yml
+/service/config/staging.yml
+/service/config/testing.yml
+/service/config/deploy.properties
+/service/dependency-reduced-pom.xml
 .opsmanage
 put.sh
 deployer-staging.properties
 deployer-production.properties
 deployer.log
+/service/src/main/resources/org/signal/badges/Badges_*.properties
+!/service/src/main/resources/org/signal/badges/Badges_en.properties
+/service/src/main/resources/org/signal/subscriptions/Subscriptions_*.properties
+!/service/src/main/resources/org/signal/subscriptions/Subscriptions_en.properties
+/.tx/config

.gitmodules

@@ -0,0 +1,11 @@
+# Note that the implmentation of the abusive message filter is private; internal
+# developers will need to override this URL with:
+#
+# ```
+# git config submodule.abusive-message-filter.url PRIVATE_URL
+# ```
+#
+# External developers may safely ignore this submodule.
+[submodule "abusive-message-filter"]
+	path = abusive-message-filter
+	url = REDACTED

.mvn/extensions.xml

@@ -0,0 +1,9 @@
+<extensions xmlns="http://maven.apache.org/EXTENSIONS/1.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/EXTENSIONS/1.0.0 http://maven.apache.org/xsd/core-extensions-1.0.0.xsd">
+  <extension>
+    <groupId>fr.brouillard.oss</groupId>
+    <artifactId>jgitver-maven-plugin</artifactId>
+    <version>1.7.1</version>
+  </extension>
+</extensions>

.mvn/jgitver.config.xml

@@ -0,0 +1,14 @@
+<configuration xmlns="http://jgitver.github.io/maven/configuration/1.1.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://jgitver.github.io/maven/configuration/1.1.0 https://jgitver.github.io/maven/configuration/jgitver-configuration-v1_1_0.xsd">
+  <useDirty>true</useDirty>
+  <useDefaultBranchingPolicy>false</useDefaultBranchingPolicy>
+  <branchPolicies>
+    <branchPolicy>
+      <pattern>(.*)</pattern>
+      <transformations>
+        <transformation>IGNORE</transformation>
+      </transformations>
+    </branchPolicy>
+  </branchPolicies>
+</configuration>

LICENSE

@@ -615,3 +615,47 @@ reviewing courts shall apply local law that most closely approximates
 an absolute waiver of all civil liability in connection with the
 Program, unless a warranty or assumption of liability accompanies a
 copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

gcm-sender-async/pom.xml

@@ -1,47 +1,52 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <parent>
-        <artifactId>TextSecureServer</artifactId>
-        <groupId>org.whispersystems.textsecure</groupId>
-        <version>1.0</version>
-    </parent>
-    <modelVersion>4.0.0</modelVersion>
-
-    <artifactId>gcm-sender-async</artifactId>
-    <version>${TextSecureServer.version}</version>
-
-
-    <dependencies>
-        <dependency>
-            <groupId>io.github.resilience4j</groupId>
-            <artifactId>resilience4j-retry</artifactId>
-            <version>${resilience4j.version}</version>
-        </dependency>
-
-
-        <dependency>
-            <groupId>com.squareup.okhttp</groupId>
-            <artifactId>mockwebserver</artifactId>
-            <version>2.1.0</version>
-            <scope>test</scope>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.bouncycastle</groupId>
-                    <artifactId>bcprov-jdk15on</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-
-        <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk16</artifactId>
-            <version>1.46</version>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>gcm-sender-async</artifactId>
 
+  <dependencies>
+    <dependency>
+      <groupId>io.github.resilience4j</groupId>
+      <artifactId>resilience4j-retry</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-annotations</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>jcl-over-slf4j</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-nop</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
 
 </project>
 

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/SenderTest.java

@@ -4,32 +4,41 @@
  */
 package org.whispersystems.gcm.server;
 
+import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
+import static com.github.tomakehurst.wiremock.client.WireMock.any;
+import static com.github.tomakehurst.wiremock.client.WireMock.anyRequestedFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.anyUrl;
+import static com.github.tomakehurst.wiremock.client.WireMock.equalTo;
+import static com.github.tomakehurst.wiremock.client.WireMock.ok;
+import static com.github.tomakehurst.wiremock.client.WireMock.postRequestedFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
+import static com.github.tomakehurst.wiremock.client.WireMock.verify;
+import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.options;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
+import static org.whispersystems.gcm.server.util.JsonHelpers.jsonFixture;
+
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.PropertyAccessor;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.squareup.okhttp.mockwebserver.MockResponse;
-import com.squareup.okhttp.mockwebserver.RecordedRequest;
-import com.squareup.okhttp.mockwebserver.rule.MockWebServerRule;
-import org.junit.Ignore;
-import org.junit.Rule;
-import org.junit.Test;
-
+import com.github.tomakehurst.wiremock.client.CountMatchingStrategy;
+import com.github.tomakehurst.wiremock.junit.WireMockRule;
 import java.io.IOException;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
-
-import static junit.framework.TestCase.assertTrue;
-import static org.junit.Assert.*;
-import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
-import static org.whispersystems.gcm.server.util.JsonHelpers.jsonFixture;
+import org.junit.Rule;
+import org.junit.Test;
 
 public class SenderTest {
 
   @Rule
-  public MockWebServerRule server = new MockWebServerRule();
+  public WireMockRule wireMock = new WireMockRule(options().dynamicPort().dynamicHttpsPort());
 
   private static final ObjectMapper mapper = new ObjectMapper();
 
@@ -41,11 +50,13 @@ public class SenderTest {
 
   @Test
   public void testSuccess() throws InterruptedException, ExecutionException, TimeoutException, IOException {
-    MockResponse successResponse = new MockResponse().setResponseCode(200)
-                                                     .setBody(fixture("fixtures/response-success.json"));
-    server.enqueue(successResponse);
+    wireMock.stubFor(any(anyUrl())
+        .willReturn(aResponse()
+            .withStatus(200)
+            .withBody(fixture("fixtures/response-success.json"))));
 
-    Sender                    sender = new Sender("foobarbaz", mapper, 10, server.getUrl("/gcm/send").toExternalForm());
+
+    Sender                    sender = new Sender("foobarbaz", mapper, 10, "http://localhost:" + wireMock.port() + "/gcm/send");
     CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
 
     Result result = future.get(10, TimeUnit.SECONDS);
@@ -57,20 +68,19 @@ public class SenderTest {
     assertNull(result.getError());
     assertNull(result.getCanonicalRegistrationId());
 
-    RecordedRequest request = server.takeRequest();
-    assertEquals(request.getPath(), "/gcm/send");
-    assertEquals(new String(request.getBody()), jsonFixture("fixtures/message-minimal.json"));
-    assertEquals(request.getHeader("Authorization"), "key=foobarbaz");
-    assertEquals(request.getHeader("Content-Type"), "application/json");
-    assertEquals(server.getRequestCount(), 1);
+    verify(1, postRequestedFor(urlEqualTo("/gcm/send"))
+        .withHeader("Authorization", equalTo("key=foobarbaz"))
+        .withHeader("Content-Type", equalTo("application/json"))
+        .withRequestBody(equalTo(jsonFixture("fixtures/message-minimal.json"))));
   }
 
   @Test
   public void testBadApiKey() throws InterruptedException, TimeoutException {
-    MockResponse unauthorizedResponse = new MockResponse().setResponseCode(401);
-    server.enqueue(unauthorizedResponse);
+    wireMock.stubFor(any(anyUrl())
+        .willReturn(aResponse()
+            .withStatus(401)));
 
-    Sender                    sender = new Sender("foobar", mapper, 10, server.getUrl("/gcm/send").toExternalForm());
+    Sender                    sender = new Sender("foobar", mapper, 10, "http://localhost:" + wireMock.port() + "/gcm/send");
     CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
 
     try {
@@ -80,15 +90,16 @@ public class SenderTest {
       assertTrue(ee.getCause() instanceof AuthenticationFailedException);
     }
 
-    assertEquals(server.getRequestCount(), 1);
+    verify(1, anyRequestedFor(anyUrl()));
   }
 
   @Test
   public void testBadRequest() throws TimeoutException, InterruptedException {
-    MockResponse malformed = new MockResponse().setResponseCode(400);
-    server.enqueue(malformed);
+    wireMock.stubFor(any(anyUrl())
+        .willReturn(aResponse()
+            .withStatus(400)));
 
-    Sender                    sender = new Sender("foobarbaz", mapper, 10, server.getUrl("/gcm/send").toExternalForm());
+    Sender                    sender = new Sender("foobarbaz", mapper, 10, "http://localhost:" + wireMock.port() + "/gcm/send");
     CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
 
     try {
@@ -98,17 +109,16 @@ public class SenderTest {
       assertTrue(e.getCause() instanceof InvalidRequestException);
     }
 
-    assertEquals(server.getRequestCount(), 1);
+    verify(1, anyRequestedFor(anyUrl()));
   }
 
   @Test
   public void testServerError() throws TimeoutException, InterruptedException {
-    MockResponse error = new MockResponse().setResponseCode(503);
-    server.enqueue(error);
-    server.enqueue(error);
-    server.enqueue(error);
+    wireMock.stubFor(any(anyUrl())
+        .willReturn(aResponse()
+            .withStatus(503)));
 
-    Sender                    sender = new Sender("foobarbaz", mapper, 3, server.getUrl("/gcm/send").toExternalForm());
+    Sender                    sender = new Sender("foobarbaz", mapper, 3, "http://localhost:" + wireMock.port() + "/gcm/send");
     CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
 
     try {
@@ -118,27 +128,29 @@ public class SenderTest {
       assertTrue(ee.getCause() instanceof ServerFailedException);
     }
 
-    assertEquals(server.getRequestCount(), 3);
+    verify(3, anyRequestedFor(anyUrl()));
   }
 
   @Test
   public void testServerErrorRecovery() throws InterruptedException, ExecutionException, TimeoutException {
-    MockResponse success = new MockResponse().setResponseCode(200)
-                                             .setBody(fixture("fixtures/response-success.json"));
 
-    MockResponse error = new MockResponse().setResponseCode(503);
+    wireMock.stubFor(any(anyUrl()).willReturn(aResponse().withStatus(503)));
 
-    server.enqueue(error);
-    server.enqueue(error);
-    server.enqueue(error);
-    server.enqueue(success);
-
-    Sender                    sender = new Sender("foobarbaz", mapper, 4, server.getUrl("/gcm/send").toExternalForm());
+    Sender                    sender = new Sender("foobarbaz", mapper, 4, "http://localhost:" + wireMock.port() + "/gcm/send");
     CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
 
+    // up to three failures can happen, with 100ms exponential backoff
+    // if we end up using the fourth, and finaly try, it would be after ~700 ms
+    CompletableFuture.delayedExecutor(300, TimeUnit.MILLISECONDS).execute(() ->
+        wireMock.stubFor(any(anyUrl())
+            .willReturn(aResponse()
+                .withStatus(200)
+                .withBody(fixture("fixtures/response-success.json"))))
+    );
+
     Result result = future.get(10, TimeUnit.SECONDS);
 
-    assertEquals(server.getRequestCount(), 4);
+    verify(new CountMatchingStrategy(CountMatchingStrategy.GREATER_THAN, 1), anyRequestedFor(anyUrl()));
     assertTrue(result.isSuccess());
     assertFalse(result.isThrottled());
     assertFalse(result.isUnregistered());
@@ -148,18 +160,14 @@ public class SenderTest {
   }
 
   @Test
-  @Ignore
-  public void testNetworkError() throws TimeoutException, InterruptedException, IOException {
-    MockResponse response = new MockResponse().setResponseCode(200)
-                                              .setBody(fixture("fixtures/response-success.json"));
+  public void testNetworkError() throws TimeoutException, InterruptedException {
 
-    server.enqueue(response);
-    server.enqueue(response);
-    server.enqueue(response);
+    wireMock.stubFor(any(anyUrl())
+        .willReturn(ok()));
 
-    Sender sender = new Sender("foobarbaz", mapper ,2, server.getUrl("/gcm/send").toExternalForm());
+    Sender sender = new Sender("foobarbaz", mapper ,2, "http://localhost:" + wireMock.port() + "/gcm/send");
 
-    server.get().shutdown();
+    wireMock.stop();
 
     CompletableFuture<Result> future = sender.send(Message.newBuilder().withDestination("1").build());
 
@@ -172,12 +180,11 @@ public class SenderTest {
 
   @Test
   public void testNotRegistered() throws InterruptedException, ExecutionException, TimeoutException {
-    MockResponse response = new MockResponse().setResponseCode(200)
-                                              .setBody(fixture("fixtures/response-not-registered.json"));
 
-    server.enqueue(response);
+    wireMock.stubFor(any(anyUrl()).willReturn(aResponse().withStatus(200)
+        .withBody(fixture("fixtures/response-not-registered.json"))));
 
-    Sender                    sender = new Sender("foobarbaz", mapper,2, server.getUrl("/gcm/send").toExternalForm());
+    Sender                    sender = new Sender("foobarbaz", mapper,2, "http://localhost:" + wireMock.port() + "/gcm/send");
     CompletableFuture<Result> future = sender.send(Message.newBuilder()
                                                          .withDestination("2")
                                                          .withDataPart("message", "new message!")

gcm-sender-async/src/test/java/org/whispersystems/gcm/server/SimultaneousSenderTest.java

@@ -4,31 +4,34 @@
  */
 package org.whispersystems.gcm.server;
 
+import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
+import static com.github.tomakehurst.wiremock.client.WireMock.post;
+import static com.github.tomakehurst.wiremock.client.WireMock.stubFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.urlPathEqualTo;
+import static junit.framework.TestCase.assertTrue;
+import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
+
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.PropertyAccessor;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
 import com.github.tomakehurst.wiremock.junit.WireMockRule;
-import org.junit.Ignore;
-import org.junit.Rule;
-import org.junit.Test;
-
 import java.util.LinkedList;
 import java.util.List;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
-
-import static com.github.tomakehurst.wiremock.client.WireMock.*;
-import static junit.framework.TestCase.assertTrue;
-import static org.whispersystems.gcm.server.util.FixtureHelpers.fixture;
+import org.junit.Ignore;
+import org.junit.Rule;
+import org.junit.Test;
 
 public class SimultaneousSenderTest {
 
   @Rule
-  public WireMockRule wireMock = new WireMockRule(8089);
+  public WireMockRule wireMock = new WireMockRule(WireMockConfiguration.options().dynamicPort().dynamicHttpsPort());
 
   private static final ObjectMapper mapper = new ObjectMapper();
 
@@ -45,7 +48,7 @@ public class SimultaneousSenderTest {
                                 .withStatus(200)
                                 .withBody(fixture("fixtures/response-success.json"))));
 
-    Sender                          sender  = new Sender("foobarbaz", mapper, 2, "http://localhost:8089/gcm/send");
+    Sender                          sender  = new Sender("foobarbaz", mapper, 2, "http://localhost:" + wireMock.port() + "/gcm/send");
     List<CompletableFuture<Result>> results = new LinkedList<>();
 
     for (int i=0;i<1000;i++) {
@@ -68,7 +71,7 @@ public class SimultaneousSenderTest {
                 .willReturn(aResponse()
                                 .withStatus(503)));
 
-    Sender                         sender   = new Sender("foobarbaz", mapper, 2, "http://localhost:8089/gcm/send");
+    Sender                         sender   = new Sender("foobarbaz", mapper, 2, "http://localhost:" + wireMock.port() + "/gcm/send");
     List<CompletableFuture<Result>> futures = new LinkedList<>();
 
     for (int i=0;i<1000;i++) {

gcm-sender-async/src/test/resources/logback-test.xml

@@ -1,6 +1,8 @@
-<!-- Turning down the wiremock logging -->
-<logger name="com.github.tomakehurst.wiremock" level="WARN"/>
-<logger name="wiremock.org" level="ERROR"/>
-<logger name="WireMock" level="WARN"/>
-<!-- wiremock has per endpoint servlet logging -->
-<logger name="/" level="WARN"/>
+<configuration>
+  <!-- Turning down the wiremock logging -->
+  <logger name="com.github.tomakehurst.wiremock" level="WARN"/>
+  <logger name="wiremock.org" level="ERROR"/>
+  <logger name="WireMock" level="WARN"/>
+  <!-- wiremock has per endpoint servlet logging -->
+  <logger name="/" level="WARN"/>
+</configuration>

pom.xml

@@ -1,211 +1,450 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <packaging>pom</packaging>
-    <prerequisites>
-        <maven>3.0.0</maven>
-    </prerequisites>
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <packaging>pom</packaging>
 
-    <repositories>
-        <repository>
-            <id>central</id>
-            <name>Central Repository</name>
-            <url>https://repo.maven.apache.org/maven2</url>
-            <snapshots>
-                <enabled>false</enabled>
-            </snapshots>
-        </repository>
-        <repository>
-            <id>dynamodb-local-oregon</id>
-            <name>DynamoDB Local Release Repository</name>
-            <url>https://s3-us-west-2.amazonaws.com/dynamodb-local/release</url>
-        </repository>
-    </repositories>
+  <repositories>
+    <repository>
+      <id>central</id>
+      <name>Central Repository</name>
+      <url>https://repo.maven.apache.org/maven2</url>
+      <snapshots>
+        <enabled>false</enabled>
+      </snapshots>
+    </repository>
+    <repository>
+      <id>dynamodb-local-oregon</id>
+      <name>DynamoDB Local Release Repository</name>
+      <url>https://s3-us-west-2.amazonaws.com/dynamodb-local/release</url>
+    </repository>
+  </repositories>
 
-    <modules>
-        <module>redis-dispatch</module>
-        <module>websocket-resources</module>
-        <module>gcm-sender-async</module>
-        <module>service</module>
-    </modules>
+  <modules>
+    <module>redis-dispatch</module>
+    <module>websocket-resources</module>
+    <module>gcm-sender-async</module>
+    <module>service</module>
+  </modules>
 
-    <properties>
-        <dropwizard.version>2.0.13</dropwizard.version>
-        <resilience4j.version>1.5.0</resilience4j.version>
-        <mockito.version>2.25.1</mockito.version>
-        <aws.sdk.version>1.11.939</aws.sdk.version>
+  <properties>
+    <aws.sdk.version>1.11.939</aws.sdk.version>
+    <aws.sdk2.version>2.16.66</aws.sdk2.version>
+    <commons-codec.version>1.15</commons-codec.version>
+    <commons-csv.version>1.8</commons-csv.version>
+    <commons-io.version>2.9.0</commons-io.version>
+    <dropwizard.version>2.0.25</dropwizard.version>
+    <dropwizard-metrics-datadog.version>1.1.13</dropwizard-metrics-datadog.version>
+    <gson.version>2.8.8</gson.version>
+    <guava.version>30.1.1-jre</guava.version>
+    <jaxb.version>2.3.1</jaxb.version>
+    <jedis.version>2.9.0</jedis.version>
+    <lettuce.version>6.0.4.RELEASE</lettuce.version>
+    <libphonenumber.version>8.12.33</libphonenumber.version>
+    <logstash.logback.version>6.6</logstash.logback.version>
+    <micrometer.version>1.5.3</micrometer.version>
+    <mockito.version>4.0.0</mockito.version>
+    <netty.version>4.1.65.Final</netty.version>
+    <netty.tcnative-boringssl-static.version>2.0.39.Final</netty.tcnative-boringssl-static.version>
+    <opentest4j.version>1.2.0</opentest4j.version>
+    <postgresql.version>9.4-1201-jdbc41</postgresql.version>
+    <protobuf.version>3.17.1</protobuf.version>
+    <pushy.version>0.15.0</pushy.version>
+    <resilience4j.version>1.5.0</resilience4j.version>
+    <semver4j.version>3.1.0</semver4j.version>
+    <slf4j.version>1.7.30</slf4j.version>
+    <stripe.version>20.79.0</stripe.version>
 
-        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <TextSecureServer.version>5.30</TextSecureServer.version>
-    </properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
 
-    <parent>
+  <groupId>org.whispersystems.textsecure</groupId>
+  <artifactId>TextSecureServer</artifactId>
+  <version>JGITVER</version>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
         <groupId>io.dropwizard</groupId>
         <artifactId>dropwizard-dependencies</artifactId>
-        <version>2.0.13</version>
-    </parent>
+        <version>${dropwizard.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-bom</artifactId>
+        <version>${netty.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>com.amazonaws</groupId>
+        <artifactId>aws-java-sdk-bom</artifactId>
+        <version>${aws.sdk.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>software.amazon.awssdk</groupId>
+        <artifactId>bom</artifactId>
+        <version>${aws.sdk2.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>com.google.cloud</groupId>
+        <artifactId>libraries-bom</artifactId>
+        <version>20.9.0</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>io.github.resilience4j</groupId>
+        <artifactId>resilience4j-bom</artifactId>
+        <version>${resilience4j.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>io.micrometer</groupId>
+        <artifactId>micrometer-bom</artifactId>
+        <version>${micrometer.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
 
-
-    <groupId>org.whispersystems.textsecure</groupId>
-    <artifactId>TextSecureServer</artifactId>
-    <version>1.0</version>
-
-    <dependencies>
-        <dependency>
-            <groupId>io.dropwizard</groupId>
-            <artifactId>dropwizard-core</artifactId>
-            <version>${dropwizard.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>io.dropwizard</groupId>
-            <artifactId>dropwizard-jdbi3</artifactId>
-            <version>${dropwizard.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>io.dropwizard</groupId>
-            <artifactId>dropwizard-auth</artifactId>
-            <version>${dropwizard.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>io.dropwizard</groupId>
-            <artifactId>dropwizard-client</artifactId>
-            <version>${dropwizard.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>io.dropwizard</groupId>
-            <artifactId>dropwizard-migrations</artifactId>
-            <version>${dropwizard.version}</version>
-        </dependency>
-
-        <dependency>
-            <groupId>javax.xml.bind</groupId>
-            <artifactId>jaxb-api</artifactId>
-            <version>2.3.1</version>
-        </dependency>
-        <dependency>
-            <groupId>org.glassfish.jaxb</groupId>
-            <artifactId>jaxb-runtime</artifactId>
-            <version>2.3.1</version>
-        </dependency>
-
-
-        <dependency>
-            <groupId>io.dropwizard</groupId>
-            <artifactId>dropwizard-servlets</artifactId>
-            <version>${dropwizard.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>io.dropwizard</groupId>
-            <artifactId>dropwizard-testing</artifactId>
-            <version>${dropwizard.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.hamcrest</groupId>
-            <artifactId>hamcrest-all</artifactId>
-            <version>1.3</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>com.github.tomakehurst</groupId>
-            <artifactId>wiremock-jre8</artifactId>
-            <version>2.26.2</version>
-            <scope>test</scope>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.hamcrest</groupId>
-                    <artifactId>hamcrest-core</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>javax.xml.bind</groupId>
-                    <artifactId>jaxb-api</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.mockito</groupId>
-            <artifactId>mockito-core</artifactId>
-            <version>${mockito.version}</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.assertj</groupId>
-            <artifactId>assertj-core</artifactId>
-            <version>3.15.0</version>
-            <scope>test</scope>
-        </dependency>
+      <dependency>
+        <groupId>com.eatthepath</groupId>
+        <artifactId>pushy</artifactId>
+        <version>${pushy.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.eatthepath</groupId>
+        <artifactId>pushy-dropwizard-metrics-listener</artifactId>
+        <version>${pushy.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.google.guava</groupId>
+        <artifactId>guava</artifactId>
+        <version>${guava.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.google.protobuf</groupId>
+        <artifactId>protobuf-java</artifactId>
+        <version>${protobuf.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.googlecode.libphonenumber</groupId>
+        <artifactId>libphonenumber</artifactId>
+        <version>${libphonenumber.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.vdurmont</groupId>
+        <artifactId>semver4j</artifactId>
+        <version>${semver4j.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>commons-codec</groupId>
+        <artifactId>commons-codec</artifactId>
+        <version>${commons-codec.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>commons-io</groupId>
+        <artifactId>commons-io</artifactId>
+        <version>${commons-io.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.lettuce</groupId>
+        <artifactId>lettuce-core</artifactId>
+        <version>${lettuce.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-tcnative-boringssl-static</artifactId>
+        <version>${netty.tcnative-boringssl-static.version}</version>
+        <scope>runtime</scope>
+      </dependency>
+      <dependency>
+        <groupId>javax.xml.bind</groupId>
+        <artifactId>jaxb-api</artifactId>
+        <version>${jaxb.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>net.logstash.logback</groupId>
+        <artifactId>logstash-logback-encoder</artifactId>
+        <version>${logstash.logback.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.commons</groupId>
+        <artifactId>commons-csv</artifactId>
+        <version>${commons-csv.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.coursera</groupId>
+        <artifactId>dropwizard-metrics-datadog</artifactId>
+        <version>${dropwizard-metrics-datadog.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.glassfish.jaxb</groupId>
+        <artifactId>jaxb-runtime</artifactId>
+        <version>${jaxb.version}</version>
+        <scope>runtime</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.mockito</groupId>
+        <artifactId>mockito-core</artifactId>
+        <version>${mockito.version}</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.mockito</groupId>
+        <artifactId>mockito-inline</artifactId>
+        <version>${mockito.version}</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.opentest4j</groupId>
+        <artifactId>opentest4j</artifactId>
+        <version>${opentest4j.version}</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.postgresql</groupId>
+        <artifactId>postgresql</artifactId>
+        <version>${postgresql.version}</version>
+        <scope>runtime</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.slf4j</groupId>
+        <artifactId>slf4j-api</artifactId>
+        <version>${slf4j.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.slf4j</groupId>
+        <artifactId>slf4j-nop</artifactId>
+        <version>${slf4j.version}</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>redis.clients</groupId>
+        <artifactId>jedis</artifactId>
+        <version>${jedis.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>commons-logging</groupId>
+        <artifactId>commons-logging</artifactId>
+        <version>1.2</version>
+      </dependency>
+      <dependency>
+        <groupId>org.ow2.asm</groupId>
+        <artifactId>asm</artifactId>
+        <version>9.2</version>
+        <scope>test</scope>
+      </dependency>
+      <dependency>
+        <groupId>com.stripe</groupId>
+        <artifactId>stripe-java</artifactId>
+        <version>${stripe.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.google.code.gson</groupId>
+        <artifactId>gson</artifactId>
+        <version>${gson.version}</version>
+      </dependency>
     </dependencies>
+  </dependencyManagement>
 
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.8.0</version>
-                <configuration>
-                    <source>11</source>
-                    <target>11</target>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-jar-plugin</artifactId>
-                <version>3.1.1</version>
-                <configuration>
-                    <archive>
-                        <manifest>
-                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
-                        </manifest>
-                    </archive>
-                </configuration>
-            </plugin>
+  <dependencies>
+    <dependency>
+      <groupId>org.hamcrest</groupId>
+      <artifactId>hamcrest-all</artifactId>
+      <version>1.3</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.github.tomakehurst</groupId>
+      <artifactId>wiremock-jre8</artifactId>
+      <version>2.31.0</version>
+      <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.hamcrest</groupId>
+          <artifactId>hamcrest-core</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>javax.xml.bind</groupId>
+          <artifactId>jaxb-api</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <version>${mockito.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.assertj</groupId>
+      <artifactId>assertj-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
 
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-dependency-plugin</artifactId>
-                <version>3.1.2</version>
-                <executions>
-                    <execution>
-                        <id>copy</id>
-                        <phase>test-compile</phase>
-                        <goals>
-                            <goal>copy-dependencies</goal>
-                        </goals>
-                        <configuration>
-                            <includeScope>test</includeScope>
-                            <includeTypes>so,dll,dylib</includeTypes>
-                            <outputDirectory>${project.build.directory}/lib</outputDirectory>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
+  </dependencies>
 
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.0.0-M1</version>
-                <configuration>
-                    <systemProperties>
-                        <property>
-                            <name>sqlite4java.library.path</name>
-                            <value>${project.build.directory}/lib</value>
-                        </property>
-                    </systemProperties>
-                </configuration>
-            </plugin>
+  <profiles>
+    <profile>
+      <id>include-abusive-message-filter</id>
+      <activation>
+        <file>
+          <exists>abusive-message-filter/pom.xml</exists>
+        </file>
+      </activation>
+      <modules>
+        <module>abusive-message-filter</module>
+      </modules>
+    </profile>
 
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-enforcer-plugin</artifactId>
-                <version>1.4.1</version>
-                <configuration>
-                    <rules><dependencyConvergence/></rules>
-                </configuration>
-            </plugin>
+    <profile>
+      <id>exclude-abusive-message-filter</id>
+      <activation>
+        <file>
+          <missing>abusive-message-filter/pom.xml</missing>
+        </file>
+      </activation>
+    </profile>
+  </profiles>
 
-        </plugins>
-    </build>
+  <build>
+    <extensions>
+      <extension>
+        <groupId>kr.motd.maven</groupId>
+        <artifactId>os-maven-plugin</artifactId>
+        <version>1.7.0</version>
+      </extension>
+    </extensions>
+    <plugins>
+
+      <plugin>
+        <groupId>org.xolstice.maven.plugins</groupId>
+        <artifactId>protobuf-maven-plugin</artifactId>
+        <version>0.6.1</version>
+        <configuration>
+          <protocArtifact>com.google.protobuf:protoc:3.18.0:exe:${os.detected.classifier}</protocArtifact>
+          <checkStaleness>true</checkStaleness>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>compile</goal>
+              <goal>test-compile</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.8.1</version>
+        <configuration>
+          <release>17</release>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <version>3.2.0</version>
+        <configuration>
+          <archive>
+            <manifest>
+              <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+            </manifest>
+          </archive>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-dependency-plugin</artifactId>
+        <version>3.1.2</version>
+        <executions>
+          <execution>
+            <id>copy</id>
+            <phase>test-compile</phase>
+            <goals>
+              <goal>copy-dependencies</goal>
+            </goals>
+            <configuration>
+              <includeScope>test</includeScope>
+              <includeTypes>so,dll,dylib</includeTypes>
+              <outputDirectory>${project.build.directory}/lib</outputDirectory>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>3.0.0-M5</version>
+        <configuration>
+          <systemProperties>
+            <property>
+              <name>sqlite4java.library.path</name>
+              <value>${project.build.directory}/lib</value>
+            </property>
+          </systemProperties>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-enforcer-plugin</artifactId>
+        <version>3.0.0-M3</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>enforce</goal>
+            </goals>
+            <configuration>
+              <rules>
+                <dependencyConvergence/>
+                <requireMavenVersion>
+                  <version>3.8.3</version>
+                </requireMavenVersion>
+              </rules>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-install-plugin</artifactId>
+        <version>3.0.0-M1</version>
+        <configuration>
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-deploy-plugin</artifactId>
+        <version>3.0.0-M1</version>
+        <configuration>
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+
+    </plugins>
+  </build>
 
 </project>

redis-dispatch/pom.xml

@@ -1,16 +1,20 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <parent>
-        <artifactId>TextSecureServer</artifactId>
-        <groupId>org.whispersystems.textsecure</groupId>
-        <version>1.0</version>
-    </parent>
-    <modelVersion>4.0.0</modelVersion>
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>redis-dispatch</artifactId>
 
-    <artifactId>redis-dispatch</artifactId>
-    <version>${TextSecureServer.version}</version>
+  <dependencies>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+  </dependencies>
 
-
-</project>
+</project>

redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchChannel.java

@@ -5,7 +5,7 @@
 package org.whispersystems.dispatch;
 
 public interface DispatchChannel {
-  public void onDispatchMessage(String channel, byte[] message);
-  public void onDispatchSubscribed(String channel);
-  public void onDispatchUnsubscribed(String channel);
+  void onDispatchMessage(String channel, byte[] message);
+  void onDispatchSubscribed(String channel);
+  void onDispatchUnsubscribed(String channel);
 }

redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchManager.java

@@ -59,9 +59,7 @@ public class DispatchManager extends Thread {
       logger.warn("Subscription error", e);
     }
 
-    if (previous.isPresent()) {
-      dispatchUnsubscription(name, previous.get());
-    }
+    previous.ifPresent(channel -> dispatchUnsubscription(name, channel));
   }
 
   public synchronized void unsubscribe(String name, DispatchChannel channel) {
@@ -132,46 +130,28 @@ public class DispatchManager extends Thread {
   }
 
   private void resubscribeAll() {
-    new Thread() {
-      @Override
-      public void run() {
-        synchronized (DispatchManager.this) {
-          try {
-            for (String name : subscriptions.keySet()) {
-              pubSubConnection.subscribe(name);
-            }
-          } catch (IOException e) {
-            logger.warn("***** RESUBSCRIPTION ERROR *****", e);
+    new Thread(() -> {
+      synchronized (DispatchManager.this) {
+        try {
+          for (String name : subscriptions.keySet()) {
+            pubSubConnection.subscribe(name);
           }
+        } catch (IOException e) {
+          logger.warn("***** RESUBSCRIPTION ERROR *****", e);
         }
       }
-    }.start();
+    }).start();
   }
 
   private void dispatchMessage(final String name, final DispatchChannel channel, final byte[] message) {
-    executor.execute(new Runnable() {
-      @Override
-      public void run() {
-        channel.onDispatchMessage(name, message);
-      }
-    });
+    executor.execute(() -> channel.onDispatchMessage(name, message));
   }
 
   private void dispatchSubscription(final String name, final DispatchChannel channel) {
-    executor.execute(new Runnable() {
-      @Override
-      public void run() {
-        channel.onDispatchSubscribed(name);
-      }
-    });
+    executor.execute(() -> channel.onDispatchSubscribed(name));
   }
 
   private void dispatchUnsubscription(final String name, final DispatchChannel channel) {
-    executor.execute(new Runnable() {
-      @Override
-      public void run() {
-        channel.onDispatchUnsubscribed(name);
-      }
-    });
+    executor.execute(() -> channel.onDispatchUnsubscribed(name));
   }
 }

redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisInputStream.java

@@ -20,7 +20,7 @@ public class RedisInputStream {
   }
 
   public String readLine() throws IOException {
-    ByteArrayOutputStream boas = new ByteArrayOutputStream();
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
 
     boolean foundCr = false;
 
@@ -31,14 +31,14 @@ public class RedisInputStream {
         throw new IOException("Stream closed!");
       }
 
-      boas.write(character);
+      baos.write(character);
 
       if      (foundCr && character == LF) break;
       else if (character == CR)            foundCr = true;
       else if (foundCr)                    foundCr = false;
     }
 
-    byte[] data = boas.toByteArray();
+    byte[] data = baos.toByteArray();
     return new String(data, 0, data.length-2);
   }
 

redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisPubSubConnectionFactory.java

@@ -8,6 +8,6 @@ import org.whispersystems.dispatch.redis.PubSubConnection;
 
 public interface RedisPubSubConnectionFactory {
 
-  public PubSubConnection connect();
+  PubSubConnection connect();
 
 }

service/assembly.xml

@@ -1,6 +1,6 @@
-<assembly xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.0"
+<assembly xmlns="http://maven.apache.org/ASSEMBLY/2.1.0"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-          xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.0 http://maven.apache.org/xsd/assembly-1.1.0.xsd">
+          xsi:schemaLocation="http://maven.apache.org/ASSEMBLY/2.1.0 http://maven.apache.org/xsd/assembly-2.1.0.xsd">
     <id>bin</id>
     <includeBaseDirectory>false</includeBaseDirectory>
     <formats>
@@ -18,8 +18,8 @@
             <directory>${project.build.directory}</directory>
             <outputDirectory>/</outputDirectory>
             <includes>
-                <include>${parent.artifactId}-${TextSecureServer.version}.jar</include>
+                <include>${parent.artifactId}-${project.version}.jar</include>
             </includes>
         </fileSet>
     </fileSets>
-</assembly>
+</assembly>

service/config/sample.yml

@@ -1,127 +1,337 @@
+# Example, relatively minimal, configuration that passes validation (see `io.dropwizard.cli.CheckCommand`)
+#
+# `unset` values will need to be set to work properly.
+# Most other values are technically valid for a local/demonstration environment, but are probably not production-ready.
+
+stripe:
+  apiKey: unset
+  idempotencyKeyGenerator: abcdefg12345678= # base64 for creating request idempotency hash
+  boostDescription: >
+    Example
+
+dynamoDbClientConfiguration:
+  region: us-west-2 # AWS Region
+
+dynamoDbTables:
+  issuedReceipts:
+    tableName: Example_IssuedReceipts
+    expiration: P30D # Duration of time until rows expire
+    generator: abcdefg12345678= # random base64-encoded binary sequence
+  redeemedReceipts:
+    tableName: Example_RedeemedReceipts
+    expiration: P30D # Duration of time until rows expire
+  subscriptions:
+    tableName: Example_Subscriptions
+
 twilio: # Twilio gateway configuration
-  accountId: 
-  accountToken: 
-  numbers: # Numbers allocated in Twilio
-    - # First number
-    - # Second number
-    - # Third number
-    - # ...
-    - # Nth number
-  nanpaMessagingServiceSid: # Twilio SID for the messaging service to use for NANPA.
-  messagingServiceSid: # Twilio SID for the message service to use for non-NANPA.
-  localDomain: # Domain Twilio can connect back to for calls. Should be domain of your service.
-  iosVerificationText: # Text to use for the verification message on iOS. Will be passed to String.format with the verification code as argument 1.
-  androidNgVerificationText: # Text to use for the verification message on android-ng client types. Will be passed to String.format with the verification code as argument 1.
-  android202001VerificationText: # Text to use for the verification message on android-2020-01 client types. Will be passed to String.format with the verification code as argument 1.
-  genericVerificationText: # Text to use when the client type is unrecognized. Will be passed to String.format with the verification code as argument 1.
-  senderId:
-    defaultSenderId: # Sender ID to use for country codes not found in either the overrides or omitted lists.
-    countryCodesWithoutSenderId:
-      - # First country code
-      - # Second country code
-      - # ...
-      - # Nth country code
-    countrySpecificSenderIds:
-      - countryCode: # First country code
-        senderId: # Sender ID to use for this country
-      - countryCode: # Second country code
-        senderId: # Sender ID to use for this country
-      - countryCode: # ...
-        senderId: # ...
-      - countryCode: # Nth country code
-        senderId: # Sender ID to use for this country
+  accountId: unset
+  accountToken: unset
+  nanpaMessagingServiceSid: unset # Twilio SID for the messaging service to use for NANPA.
+  messagingServiceSid: unset # Twilio SID for the message service to use for non-NANPA.
+  verifyServiceSid: unset # Twilio SID for a Verify service
+  localDomain: example.com # Domain Twilio can connect back to for calls. Should be domain of your service.
+  defaultClientVerificationTexts:
+    ios: example %1$s # Text to use for the verification message on iOS. Will be passed to String.format with the verification code as argument 1.
+    androidNg: example %1$s # Text to use for the verification message on android-ng client types. Will be passed to String.format with the verification code as argument 1.
+    android202001: example %1$s # Text to use for the verification message on android-2020-01 client types. Will be passed to String.format with the verification code as argument 1.
+    android202103: example %1$s # Text to use for the verification message on android-2021-03 client types. Will be passed to String.format with the verification code as argument 1.
+    generic: example %1$s # Text to use when the client type is unrecognized. Will be passed to String.format with the verification code as argument 1.
+  regionalClientVerificationTexts: # Map of country codes to custom texts
+    999: # example country code
+      ios: example %1$s # all keys from defaultClientVerificationTexts are required
+      androidNg: example %1$s
+      android202001: example %1$s
+      android202103: example %1$s
+      generic: example %1$s
+  androidAppHash: example # Hash appended to Android
+  verifyServiceFriendlyName: example # Service name used in template. Requires Twilio account rep to enable
 
 push:
-  queueSize: # Size of push pending queue
-
-redphone:
-  authKey: # Deprecated
+  queueSize: 1000 # Size of push pending queue
 
 turn: # TURN server configuration
-  secret: # TURN server secret
+  secret: example # TURN server secret
   uris:
-    - stun:yourdomain:80
-    - stun:yourdomain.com:443
-    - turn:yourdomain:443?transport=udp
-    - turn:etc.com:80?transport=udp
+    - stun:example.com:80
+    - stun:another.example.com:443
+    - turn:example.com:443?transport=udp
+    - turn:ya.example.com:80?transport=udp
 
 cacheCluster: # Redis server configuration for cache cluster
-  urls:
+  configurationUri: redis://redis.example.com:6379/
+
+clientPresenceCluster: # Redis server configuration for client presence cluster
+  configurationUri: redis://redis.example.com:6379/
+
+pubsub: # Redis server configuration for pubsub cluster
+  url: redis://redis.example.com:6379/
+  replicaUrls:
     - redis://redis.example.com:6379/
 
+pushSchedulerCluster: # Redis server configuration for push scheduler cluster
+  configurationUri: redis://redis.example.com:6379/
+
+rateLimitersCluster: # Redis server configuration for rate limiters cluster
+  configurationUri: redis://redis.example.com:6379/
+
 directory:
   client: # Configuration for interfacing with Contact Discovery Service cluster
-    userAuthenticationTokenSharedSecret: # hex-encoded secret shared with CDS used to generate auth tokens for Signal users
-    userAuthenticationTokenUserIdSecret: # hex-encoded secret shared among Signal-Servers to obscure user phone numbers from CDS
+    userAuthenticationTokenSharedSecret: 00000f # hex-encoded secret shared with CDS used to generate auth tokens for Signal users
+    userAuthenticationTokenUserIdSecret: 00000f # hex-encoded secret shared among Signal-Servers to obscure user phone numbers from CDS
   sqs:
-    accessKey:      # AWS SQS accessKey
-    accessSecret:   # AWS SQS accessSecret
-    queueUrl:       # AWS SQS queue url
-  server:
-    replicationUrl:                # CDS replication endpoint base url
-    replicationPassword:           # CDS replication endpoint password
-    replicationCaCertificate:      # CDS replication endpoint TLS certificate trust root
-    reconciliationChunkSize:       # CDS reconciliation chunk size
-    reconciliationChunkIntervalMs: # CDS reconciliation chunk interval, in milliseconds
+    accessKey: test     # AWS SQS accessKey
+    accessSecret: test  # AWS SQS accessSecret
+    queueUrls: # AWS SQS queue urls
+      - https://sqs.example.com/directory.fifo
+  server: # One or more CDS servers
+    - replicationName: example           # CDS replication name
+      replicationUrl: cds.example.com    # CDS replication endpoint base url
+      replicationPassword: example       # CDS replication endpoint password
+      replicationCaCertificate: |        # CDS replication endpoint TLS certificate trust root
+        -----BEGIN CERTIFICATE-----
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+        AAAAAAAAAAAAAAAAAAAA
+        -----END CERTIFICATE-----
+
+directoryV2:
+  client: # Configuration for interfacing with Contact Discovery Service v2 cluster
+    userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth tokens for Signal users
 
 messageCache: # Redis server configuration for message store cache
-  persistDelayMinutes:
-
+  persistDelayMinutes: 1
   cluster:
-    urls:
-      - redis://redis.example.com:6379/
-
-messageStore: # Postgresql database configuration for message store
-  driverClass: org.postgresql.Driver
-  user:
-  password:
-  url:
+    configurationUri: redis://redis.example.com:6379/
 
 metricsCluster:
-  urls:
-    - redis://redis.example.com:6379/
+  configurationUri: redis://redis.example.com:6379/
+
+messageDynamoDb: # DynamoDB table configuration
+  region: us-west-2
+  tableName: Example_Messages
+
+keysDynamoDb: # DynamoDB table configuration
+  region: us-west-2
+  tableName: Example_PreKeys
+
+accountsDynamoDb: # DynamoDB table configuration
+  region: us-west-2
+  tableName: Example_Accounts
+  phoneNumberTableName: Example_Accounts_PhoneNumbers
+  phoneNumberIdentifierTableName: Example_Accounts_PhoneNumberIdentifiers
+
+deletedAccountsDynamoDb: # DynamoDb table configuration
+  region: us-west-2
+  tableName: Example_DeletedAccounts
+  needsReconciliationIndexName: NeedsReconciliation
+
+deletedAccountsLockDynamoDb: # DynamoDb table configuration
+  region: us-west-2
+  tableName: Example_DeletedAccountsLock
+
+pendingAccountsDynamoDb: # DynamoDB table configuration
+  region: us-west-2
+  tableName: Example_PendingAccounts
+
+pendingDevicesDynamoDb: # DynamoDB table configuration
+  region: us-west-2
+  tableName: Example_PendingDevices
+
+reservedUsernamesDynamoDb: # DynamoDB table configuration
+  region: us-west-2
+  tableName: Example_ReservedUsernames
+
+phoneNumberIdentifiersDynamoDb: # DynamoDB table configuration
+  region: us-west-2
+  tableName: Example_PhoneNumberIdentifiers
+
+pushChallengeDynamoDb: # DynamoDB table configuration
+  region: us-west-2
+  tableName: Example_PushChallenges
+
+reportMessageDynamoDb: # DynamoDB table configuration
+  region: us-west-2
+  tableName: Example_ReportedMessages
 
 awsAttachments: # AWS S3 configuration
-  accessKey:
-  accessSecret:
-  bucket:
-  region:
+  accessKey: test
+  accessSecret: test
+  bucket: aws-attachments
+  region: us-west-2
 
 gcpAttachments: # GCP Storage configuration
-  domain:
-  email:
-  maxSizeInBytes:
+  domain: example.com
+  email: user@example.cocm
+  maxSizeInBytes: 1024
   pathPrefix:
-  rsaSigningKey:
+  rsaSigningKey: |
+    -----BEGIN PRIVATE KEY-----
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    AAAAAAAA
+    -----END PRIVATE KEY-----
 
-profiles: # AWS S3 configuration
-  accessKey:
-  accessSecret:
-  bucket:
-  region:
-
-database: # Postgresql database configuration
+abuseDatabase: # Postgresql database configuration
   driverClass: org.postgresql.Driver
-  user:
-  password:
-  url:
+  user: example
+  password: password
+  url: jdbc:postgresql://example.com:5432/abusedb
+
+accountsDatabase: # Postgresql database configuration
+  driverClass: org.postgresql.Driver
+  user: example
+  password: password
+  url: jdbc:postgresql://example.com:5432/accountsdb
+
+accountDatabaseCrawler:
+  chunkSize: 10           # accounts per run
+  chunkIntervalMs: 60000  # time per run
 
 apn: # Apple Push Notifications configuration
   sandbox: true
-  bundleId:
-  keyId:
-  teamId:
-  signingKey:
+  bundleId: com.example.textsecuregcm
+  keyId: unset
+  teamId: unset
+  signingKey: |
+    -----BEGIN PRIVATE KEY-----
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    AAAAAAAA
+    -----END PRIVATE KEY-----
 
 gcm: # GCM Configuration
-  senderId:
-  apiKey:
+  senderId: 123456789
+  apiKey: unset
 
-micrometer: # Micrometer metrics config
-  - name: "example"
-  - uri: "https://metrics.example.com/"
-  - apiKey:
-  - accountId:
+cdn:
+  accessKey: test    # AWS Access Key ID
+  accessSecret: test # AWS Access Secret
+  bucket: cdn        # S3 Bucket name
+  region: us-west-2  # AWS region
+
+datadog:
+  apiKey: unset
+  environment: dev
+
+unidentifiedDelivery:
+  certificate: ABCD1234
+  privateKey: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AAAAAAA
+  expiresDays: 7
+
+voiceVerification:
+  url: https://cdn-ca.signal.org/verification/
+  locales:
+    - en
+
+recaptcha:
+  secret: unset
+
+recaptchaV2:
+  siteKey: unset
+  scoreFloor: 1.0
+  projectPath: projects/example
+  credentialConfigurationJson: "{ }" # service account configuration for backend authentication
+
+storageService:
+  uri: storage.example.com
+  userAuthenticationTokenSharedSecret: 00000f
+  storageCaCertificate: |
+    -----BEGIN CERTIFICATE-----
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    AAAAAAAAAAAAAAAAAAAA
+    -----END CERTIFICATE-----
+
+backupService:
+  uri: backup.example.com
+  userAuthenticationTokenSharedSecret: 00000f
+  backupCaCertificate: |
+    -----BEGIN CERTIFICATE-----
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    AAAAAAAAAAAAAAAAAAAA
+    -----END CERTIFICATE-----
+
+zkConfig:
+  serverPublic: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+
+appConfig:
+  application: example
+  environment: example
+  configuration: example
 
 remoteConfig:
   authorizedTokens:
@@ -130,6 +340,64 @@ remoteConfig:
     - # ...
     - # Nth authorized token
   globalConfig: # keys and values that are given to clients on GET /v1/config
+    EXAMPLE_KEY: VALUE
 
-paymentService:
-  userAuthenticationTokenSharedSecret: # hex-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
+paymentsService:
+  userAuthenticationTokenSharedSecret: 0000000f0000000f0000000f0000000f0000000f0000000f0000000f0000000f # hex-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
+  fixerApiKey: unset
+  paymentCurrencies:
+    # list of symbols for supported currencies
+    - MOB
+
+donation:
+  uri: donation.example.com # value
+  supportedCurrencies:
+    - # 1st supported currency
+    - # 2nd supported currency
+    - # ...
+    - # Nth supported currency
+
+badges:
+  badges:
+    - id: TEST
+      category: other
+      sprites: # exactly 6
+        - sprite-1.png
+        - sprite-2.png
+        - sprite-3.png
+        - sprite-4.png
+        - sprite-5.png
+        - sprite-6.png
+      svg: example.svg
+      svgs:
+        - light: example-light.svg
+          dark: example-dark.svg
+  badgeIdsEnabledForAll:
+    - TEST
+  receiptLevels:
+    '1': TEST
+
+subscription: # configuration for Stripe subscriptions
+  badgeGracePeriod: P15D
+  levels:
+    500:
+      badge: EXAMPLE
+      prices:
+        # list of ISO 4217 currency codes and amounts for the given badge level
+        xts:
+          amount: '10'
+          id: price_example # stripe ID
+
+boost:
+  level: 1
+  expiration: P90D
+  badge: EXAMPLE
+  currencies:
+    # ISO 4217 currency codes and amounts in those currencies
+    xts:
+      - '1'
+      - '2'
+      - '4'
+      - '8'
+      - '20'
+      - '40'

service/pom.xml

@@ -1,287 +1,620 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <parent>
-        <artifactId>TextSecureServer</artifactId>
-        <groupId>org.whispersystems.textsecure</groupId>
-        <version>1.0</version>
-    </parent>
-    <modelVersion>4.0.0</modelVersion>
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>service</artifactId>
 
-    <artifactId>service</artifactId>
-    <version>${TextSecureServer.version}</version>
+  <pluginRepositories>
+    <pluginRepository>
+      <id>ossrh-snapshots</id>
+      <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+      <releases>
+        <enabled>false</enabled>
+      </releases>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+    </pluginRepository>
+  </pluginRepositories>
 
-    <properties>
-        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    </properties>
+  <dependencies>
+    <dependency>
+      <groupId>jakarta.servlet</groupId>
+      <artifactId>jakarta.servlet-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>jakarta.validation</groupId>
+      <artifactId>jakarta.validation-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>jakarta.ws.rs</groupId>
+      <artifactId>jakarta.ws.rs-api</artifactId>
+    </dependency>
 
-    <dependencies>
-        <dependency>
-            <groupId>org.whispersystems.textsecure</groupId>
-            <artifactId>redis-dispatch</artifactId>
-            <version>${TextSecureServer.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.whispersystems.textsecure</groupId>
-            <artifactId>websocket-resources</artifactId>
-            <version>${TextSecureServer.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.whispersystems.textsecure</groupId>
-            <artifactId>gcm-sender-async</artifactId>
-            <version>${TextSecureServer.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.google.guava</groupId>
-                    <artifactId>guava</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.signal</groupId>
-            <artifactId>zkgroup-java</artifactId>
-            <version>0.7.0</version>
-        </dependency>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>redis-dispatch</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>websocket-resources</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>gcm-sender-async</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.signal</groupId>
+      <artifactId>zkgroup-java</artifactId>
+      <version>0.8.2</version>
+    </dependency>
+    <dependency>
+      <groupId>org.whispersystems</groupId>
+      <artifactId>curve25519-java</artifactId>
+      <version>0.5.0</version>
+    </dependency>
 
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-jdbi3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-auth</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-client</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-db</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-logging</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-metrics</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-util</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-servlets</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-lifecycle</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-jersey</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-jetty</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-validation</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-migrations</artifactId>
+      <scope>runtime</scope>
+    </dependency>
 
-        <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk16</artifactId>
-            <version>1.46</version>
-        </dependency>
-        <dependency>
-            <groupId>org.syslog4j</groupId>
-            <artifactId>syslog4j</artifactId>
-            <version>0.9.30</version>
-        </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-access</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-classic</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>net.logstash.logback</groupId>
+      <artifactId>logstash-logback-encoder</artifactId>
+    </dependency>
 
+    <dependency>
+      <groupId>org.jdbi</groupId>
+      <artifactId>jdbi3-core</artifactId>
+    </dependency>
 
-        <dependency>
-            <groupId>io.github.resilience4j</groupId>
-            <artifactId>resilience4j-circuitbreaker</artifactId>
-            <version>${resilience4j.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.slf4j</groupId>
-                    <artifactId>slf4j-api</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>io.github.resilience4j</groupId>
-            <artifactId>resilience4j-retry</artifactId>
-            <version>${resilience4j.version}</version>
-        </dependency>
+    <dependency>
+      <groupId>org.liquibase</groupId>
+      <artifactId>liquibase-core</artifactId>
+    </dependency>
 
-        <dependency>
-            <groupId>io.micrometer</groupId>
-            <artifactId>micrometer-registry-wavefront</artifactId>
-            <version>1.5.3</version>
-        </dependency>
+    <dependency>
+      <groupId>io.dropwizard.metrics</groupId>
+      <artifactId>metrics-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard.metrics</groupId>
+      <artifactId>metrics-jdbi3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard.metrics</groupId>
+      <artifactId>metrics-healthchecks</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.dropwizard.metrics</groupId>
+      <artifactId>metrics-annotation</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish.jersey.core</groupId>
+      <artifactId>jersey-common</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish.jersey.core</groupId>
+      <artifactId>jersey-server</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish.jersey.core</groupId>
+      <artifactId>jersey-client</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish.jaxb</groupId>
+      <artifactId>jaxb-runtime</artifactId>
+    </dependency>
 
-        <dependency>
-            <groupId>com.amazonaws</groupId>
-            <artifactId>aws-java-sdk-s3</artifactId>
-            <version>${aws.sdk.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>com.amazonaws</groupId>
-            <artifactId>aws-java-sdk-sqs</artifactId>
-            <version>${aws.sdk.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>com.amazonaws</groupId>
-            <artifactId>aws-java-sdk-appconfig</artifactId>
-            <version>${aws.sdk.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>com.amazonaws</groupId>
-            <artifactId>aws-java-sdk-dynamodb</artifactId>
-            <version>${aws.sdk.version}</version>
-        </dependency>
+    <dependency>
+      <groupId>io.dropwizard</groupId>
+      <artifactId>dropwizard-testing</artifactId>
+      <scope>test</scope>
+    </dependency>
 
-        <dependency>
-            <groupId>redis.clients</groupId>
-            <artifactId>jedis</artifactId>
-            <version>2.9.0</version>
-            <type>jar</type>
-            <scope>compile</scope>
-        </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty.websocket</groupId>
+      <artifactId>websocket-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-servlets</artifactId>
+    </dependency>
 
-        <dependency>
-            <groupId>io.lettuce</groupId>
-            <artifactId>lettuce-core</artifactId>
-            <version>6.0.1.RELEASE</version>
-        </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-lang3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>commons-codec</groupId>
+      <artifactId>commons-codec</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-csv</artifactId>
+    </dependency>
 
-        <dependency>
-            <groupId>org.postgresql</groupId>
-            <artifactId>postgresql</artifactId>
-            <version>9.4-1201-jdbc41</version>
-        </dependency>
-        <dependency>
-            <groupId>org.whispersystems</groupId>
-            <artifactId>curve25519-java</artifactId>
-            <version>0.5.0</version>
-        </dependency>
+    <dependency>
+      <groupId>com.google.code.findbugs</groupId>
+      <artifactId>jsr305</artifactId>
+    </dependency>
 
+    <dependency>
+      <groupId>io.github.resilience4j</groupId>
+      <artifactId>resilience4j-circuitbreaker</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.github.resilience4j</groupId>
+      <artifactId>resilience4j-retry</artifactId>
+    </dependency>
 
-        <dependency>
-            <groupId>com.eatthepath</groupId>
-            <artifactId>pushy</artifactId>
-            <version>0.14.2</version>
-        </dependency>
-        <dependency>
-            <groupId>com.eatthepath</groupId>
-            <artifactId>pushy-dropwizard-metrics-listener</artifactId>
-            <version>0.14.2</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>io.dropwizard.metrics</groupId>
-                    <artifactId>metrics-core</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
+    <dependency>
+      <groupId>io.micrometer</groupId>
+      <artifactId>micrometer-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.micrometer</groupId>
+      <artifactId>micrometer-registry-datadog</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.coursera</groupId>
+      <artifactId>dropwizard-metrics-datadog</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-annotations</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-databind</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.dataformat</groupId>
+      <artifactId>jackson-dataformat-yaml</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.datatype</groupId>
+      <artifactId>jackson-datatype-jsr310</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.jaxrs</groupId>
+      <artifactId>jackson-jaxrs-json-provider</artifactId>
+    </dependency>
 
-        <dependency>
-            <groupId>io.netty</groupId>
-            <artifactId>netty-tcnative-boringssl-static</artifactId>
-            <version>2.0.34.Final</version>
-            <scope>runtime</scope>
-        </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>sts</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>s3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>sqs</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>dynamodb</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>appconfig</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.amazonaws</groupId>
+      <artifactId>aws-java-sdk-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.amazonaws</groupId>
+      <artifactId>aws-java-sdk-s3</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.amazonaws</groupId>
+      <artifactId>dynamodb-lock-client</artifactId>
+      <version>1.1.0</version>
+      <exclusions>
+        <exclusion>
+          <groupId>commons-logging</groupId>
+          <artifactId>commons-logging</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
 
-        <dependency>
-            <groupId>com.vdurmont</groupId>
-            <artifactId>semver4j</artifactId>
-            <version>3.1.0</version>
-        </dependency>
+    <dependency>
+      <groupId>redis.clients</groupId>
+      <artifactId>jedis</artifactId>
+    </dependency>
 
-        <dependency>
-            <groupId>com.googlecode.libphonenumber</groupId>
-            <artifactId>libphonenumber</artifactId>
-            <version>8.12.17</version>
-        </dependency>
+    <dependency>
+      <groupId>io.lettuce</groupId>
+      <artifactId>lettuce-core</artifactId>
+    </dependency>
 
+    <dependency>
+      <groupId>org.postgresql</groupId>
+      <artifactId>postgresql</artifactId>
+      <scope>runtime</scope>
+    </dependency>
 
-        <dependency>
-            <groupId>org.glassfish.jersey.test-framework.providers</groupId>
-            <artifactId>jersey-test-framework-provider-grizzly2</artifactId>
-            <version>2.30</version>
-            <scope>test</scope>
-            <exclusions>
-                <exclusion>
-                    <groupId>javax.servlet</groupId>
-                    <artifactId>javax.servlet-api</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>junit</groupId>
-                    <artifactId>junit</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
+    <dependency>
+      <groupId>com.eatthepath</groupId>
+      <artifactId>pushy</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.eatthepath</groupId>
+      <artifactId>pushy-dropwizard-metrics-listener</artifactId>
+    </dependency>
 
-        <dependency>
-            <groupId>com.opentable.components</groupId>
-            <artifactId>otj-pg-embedded</artifactId>
-            <version>0.13.3</version>
-            <scope>test</scope>
-        </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-tcnative-boringssl-static</artifactId>
+      <scope>runtime</scope>
+    </dependency>
 
-        <dependency>
-            <groupId>org.signal</groupId>
-            <artifactId>embedded-redis</artifactId>
-            <version>0.8.1</version>
-            <scope>test</scope>
-        </dependency>
+    <dependency>
+      <groupId>com.vdurmont</groupId>
+      <artifactId>semver4j</artifactId>
+    </dependency>
 
-        <dependency>
-            <groupId>com.fasterxml.uuid</groupId>
-            <artifactId>java-uuid-generator</artifactId>
-            <version>3.2.0</version>
-            <scope>test</scope>
-        </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+    </dependency>
 
-        <dependency>
-            <groupId>com.amazonaws</groupId>
-            <artifactId>DynamoDBLocal</artifactId>
-            <version>1.13.6</version>
-            <scope>test</scope>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.antlr</groupId>
-                    <artifactId>antlr4-runtime</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
+    <dependency>
+      <groupId>com.google.protobuf</groupId>
+      <artifactId>protobuf-java</artifactId>
+    </dependency>
 
-        <dependency>
-            <groupId>pl.pragmatists</groupId>
-            <artifactId>JUnitParams</artifactId>
-            <version>1.1.1</version>
-            <scope>test</scope>
-        </dependency>
-    </dependencies>
+    <dependency>
+      <groupId>com.googlecode.libphonenumber</groupId>
+      <artifactId>libphonenumber</artifactId>
+    </dependency>
 
+    <dependency>
+      <groupId>net.sourceforge.argparse4j</groupId>
+      <artifactId>argparse4j</artifactId>
+    </dependency>
 
-    <build>
-        <finalName>${parent.artifactId}-${TextSecureServer.version}</finalName>
+    <dependency>
+      <groupId>org.glassfish.jersey.test-framework</groupId>
+      <artifactId>jersey-test-framework-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.glassfish.jersey.test-framework.providers</groupId>
+      <artifactId>jersey-test-framework-provider-grizzly2</artifactId>
+      <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>javax.servlet</groupId>
+          <artifactId>javax.servlet-api</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>junit</groupId>
+          <artifactId>junit</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
+    <dependency>
+      <groupId>com.opentable.components</groupId>
+      <artifactId>otj-pg-embedded</artifactId>
+      <version>0.13.3</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>com.almworks.sqlite4java</groupId>
+      <artifactId>sqlite4java</artifactId>
+      <version>1.0.392</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>io.projectreactor</groupId>
+      <artifactId>reactor-core</artifactId>
+      <version>3.3.16.RELEASE</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-params</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.junit.vintage</groupId>
+      <artifactId>junit-vintage-engine</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.signal</groupId>
+      <artifactId>embedded-redis</artifactId>
+      <version>0.8.1</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>com.fasterxml.uuid</groupId>
+      <artifactId>java-uuid-generator</artifactId>
+      <version>3.2.0</version>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>com.amazonaws</groupId>
+      <artifactId>DynamoDBLocal</artifactId>
+      <version>1.16.0</version>
+      <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.antlr</groupId>
+          <artifactId>antlr4-runtime</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.cloud</groupId>
+      <artifactId>google-cloud-recaptchaenterprise</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>com.stripe</groupId>
+      <artifactId>stripe-java</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>pl.pragmatists</groupId>
+      <artifactId>JUnitParams</artifactId>
+      <version>1.1.1</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <profiles>
+    <profile>
+      <id>exclude-abusive-message-filter</id>
+      <build>
         <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-shade-plugin</artifactId>
-                <version>1.6</version>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-shade-plugin</artifactId>
+            <version>3.2.4</version>
+            <configuration>
+              <createDependencyReducedPom>true</createDependencyReducedPom>
+              <filters>
+                <filter>
+                  <artifact>*:*</artifact>
+                  <excludes>
+                    <exclude>META-INF/*.SF</exclude>
+                    <exclude>META-INF/*.DSA</exclude>
+                    <exclude>META-INF/*.RSA</exclude>
+                  </excludes>
+                </filter>
+              </filters>
+            </configuration>
+            <executions>
+              <execution>
+                <phase>package</phase>
+                <goals>
+                  <goal>shade</goal>
+                </goals>
                 <configuration>
-                    <createDependencyReducedPom>true</createDependencyReducedPom>
-                    <filters>
-                        <filter>
-                            <artifact>*:*</artifact>
-                            <excludes>
-                                <exclude>META-INF/*.SF</exclude>
-                                <exclude>META-INF/*.DSA</exclude>
-                                <exclude>META-INF/*.RSA</exclude>
-                            </excludes>
-                        </filter>
-                    </filters>
+                  <transformers>
+                    <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
+                    <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                      <mainClass>org.whispersystems.textsecuregcm.WhisperServerService</mainClass>
+                    </transformer>
+                  </transformers>
                 </configuration>
-                <executions>
-                    <execution>
-                        <phase>package</phase>
-                        <goals>
-                            <goal>shade</goal>
-                        </goals>
-                        <configuration>
-                            <transformers>
-                                <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
-                                <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
-                                    <mainClass>org.whispersystems.textsecuregcm.WhisperServerService</mainClass>
-                                </transformer>
-                            </transformers>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
+              </execution>
+            </executions>
+          </plugin>
 
-            <plugin>
-                <artifactId>maven-assembly-plugin</artifactId>
-                <version>2.4</version>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-assembly-plugin</artifactId>
+            <version>3.3.0</version>
+            <configuration>
+              <descriptors>
+                <descriptor>assembly.xml</descriptor>
+              </descriptors>
+            </configuration>
+            <executions>
+              <execution>
+                <id>make-assembly</id> <!-- this is used for inheritance merges -->
+                <phase>package</phase> <!-- bind to the packaging phase -->
+                <goals>
+                  <goal>single</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+
+          <plugin>
+            <groupId>org.codehaus.mojo</groupId>
+            <artifactId>properties-maven-plugin</artifactId>
+            <version>1.0.0</version>
+            <executions>
+              <execution>
+                <id>read-deploy-configuration</id>
+                <phase>deploy</phase>
+                <goals>
+                  <goal>read-project-properties</goal>
+                </goals>
                 <configuration>
-                    <descriptors>
-                        <descriptor>assembly.xml</descriptor>
-                    </descriptors>
+                  <files>${project.basedir}/config/deploy.properties</files>
                 </configuration>
-                <executions>
-                    <execution>
-                        <id>make-assembly</id> <!-- this is used for inheritance merges -->
-                        <phase>package</phase> <!-- bind to the packaging phase -->
-                        <goals>
-                            <goal>single</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
+              </execution>
+            </executions>
+          </plugin>
+
+          <plugin>
+            <groupId>org.signal</groupId>
+            <artifactId>s3-upload-maven-plugin</artifactId>
+            <version>1.6-SNAPSHOT</version>
+            <configuration>
+              <source>${project.build.directory}/${project.build.finalName}-bin.tar.gz</source>
+              <bucketName>${deploy.bucketName}</bucketName>
+              <region>${deploy.bucketRegion}</region>
+              <destination>${project.build.finalName}-bin.tar.gz</destination>
+            </configuration>
+            <executions>
+              <execution>
+                <id>deploy-to-s3</id>
+                <phase>deploy</phase>
+                <goals>
+                  <goal>s3-upload</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
         </plugins>
-    </build>
+      </build>
+    </profile>
+  </profiles>
 
+  <build>
+    <finalName>${project.parent.artifactId}-${project.version}</finalName>
+    <plugins>
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>templating-maven-plugin</artifactId>
+        <version>1.0.0</version>
+        <executions>
+          <execution>
+            <id>filter-src</id>
+            <goals>
+              <goal>filter-sources</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
 
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <executions>
+          <execution>
+            <goals>
+              <goal>test-jar</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>exec-maven-plugin</artifactId>
+        <version>3.0.0</version>
+        <executions>
+          <execution>
+            <id>check-all-service-config</id>
+            <phase>verify</phase>
+            <goals>
+              <goal>java</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <mainClass>org.whispersystems.textsecuregcm.CheckServiceConfigurations</mainClass>
+          <classpathScope>test</classpathScope>
+          <arguments>
+            <argument>${project.basedir}/config</argument>
+          </arguments>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
 </project>

service/protobuf/Makefile

@@ -1,3 +0,0 @@
-
-all:
-	protoc --java_out=../src/main/java/ TextSecure.proto PubSubMessage.proto

service/src/main/java-templates/org/whispersystems/textsecuregcm/WhisperServerVersion.java

@@ -0,0 +1,15 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm;
+
+public class WhisperServerVersion {
+
+  private static final String VERSION = "${project.version}";
+
+  public static String getServerVersion() {
+    return VERSION;
+  }
+}

service/src/main/java/org/signal/i18n/HeaderControlledResourceBundleLookup.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.i18n;
+
+import com.google.common.annotations.VisibleForTesting;
+import java.util.List;
+import java.util.Locale;
+import java.util.Objects;
+import java.util.ResourceBundle;
+import java.util.ResourceBundle.Control;
+import java.util.stream.Collectors;
+import javax.annotation.Nonnull;
+
+public class HeaderControlledResourceBundleLookup {
+
+  private static final int MAX_LOCALES = 15;
+
+  private final ResourceBundleFactory resourceBundleFactory;
+
+  public HeaderControlledResourceBundleLookup() {
+    this(ResourceBundle::getBundle);
+  }
+
+  @VisibleForTesting
+  public HeaderControlledResourceBundleLookup(
+      @Nonnull final ResourceBundleFactory resourceBundleFactory) {
+    this.resourceBundleFactory = Objects.requireNonNull(resourceBundleFactory);
+  }
+
+  @Nonnull
+  private List<Locale> getAcceptableLocales(final List<Locale> acceptableLanguages) {
+    return acceptableLanguages.stream().limit(MAX_LOCALES).distinct().collect(Collectors.toList());
+  }
+
+  @Nonnull
+  public ResourceBundle getResourceBundle(final String baseName, final List<Locale> acceptableLocales) {
+    final List<Locale> deduplicatedLocales = getAcceptableLocales(acceptableLocales);
+    final Locale desiredLocale = deduplicatedLocales.isEmpty() ? Locale.getDefault() : deduplicatedLocales.get(0);
+    // define a control with a fallback order as specified in the header
+    Control control = new Control() {
+      @Override
+      public List<String> getFormats(final String baseName) {
+        Objects.requireNonNull(baseName);
+        return Control.FORMAT_PROPERTIES;
+      }
+
+      @Override
+      public Locale getFallbackLocale(final String baseName, final Locale locale) {
+        Objects.requireNonNull(baseName);
+        if (locale.equals(Locale.getDefault())) {
+          return null;
+        }
+        final int localeIndex = deduplicatedLocales.indexOf(locale);
+        if (localeIndex < 0 || localeIndex >= deduplicatedLocales.size() - 1) {
+          return Locale.getDefault();
+        }
+        // [0, deduplicatedLocales.size() - 2] is now the possible range for localeIndex
+        return deduplicatedLocales.get(localeIndex + 1);
+      }
+    };
+
+    return resourceBundleFactory.createBundle(baseName, desiredLocale, control);
+  }
+}

service/src/main/java/org/signal/i18n/ResourceBundleFactory.java

@@ -0,0 +1,13 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.i18n;
+
+import java.util.Locale;
+import java.util.ResourceBundle;
+
+public interface ResourceBundleFactory {
+  ResourceBundle createBundle(String baseName, Locale locale, ResourceBundle.Control control);
+}

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013-2021 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 package org.whispersystems.textsecuregcm;
@@ -7,30 +7,49 @@ package org.whispersystems.textsecuregcm;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.dropwizard.Configuration;
 import io.dropwizard.client.JerseyClientConfiguration;
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.configuration.AbusiveMessageFilterConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AccountDatabaseCrawlerConfiguration;
+import org.whispersystems.textsecuregcm.configuration.AccountsDatabaseConfiguration;
+import org.whispersystems.textsecuregcm.configuration.AccountsDynamoDbConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ApnConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AppConfigConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AwsAttachmentsConfiguration;
+import org.whispersystems.textsecuregcm.configuration.BadgesConfiguration;
+import org.whispersystems.textsecuregcm.configuration.BoostConfiguration;
 import org.whispersystems.textsecuregcm.configuration.CdnConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DatabaseConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DatadogConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DeletedAccountsDynamoDbConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DirectoryConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DirectoryV2Configuration;
+import org.whispersystems.textsecuregcm.configuration.DonationConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DynamoDbClientConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DynamoDbConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DynamoDbTables;
 import org.whispersystems.textsecuregcm.configuration.GcmConfiguration;
 import org.whispersystems.textsecuregcm.configuration.GcpAttachmentsConfiguration;
-import org.whispersystems.textsecuregcm.configuration.AccountsDatabaseConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MaxDeviceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MessageCacheConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MessageDynamoDbConfiguration;
-import org.whispersystems.textsecuregcm.configuration.MicrometerConfiguration;
 import org.whispersystems.textsecuregcm.configuration.PaymentsServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.PushConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RateLimitsConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RecaptchaConfiguration;
+import org.whispersystems.textsecuregcm.configuration.RecaptchaV2Configuration;
 import org.whispersystems.textsecuregcm.configuration.RedisClusterConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RedisConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RemoteConfigConfiguration;
+import org.whispersystems.textsecuregcm.configuration.ReportMessageConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SecureBackupServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SecureStorageServiceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.StripeConfiguration;
+import org.whispersystems.textsecuregcm.configuration.SubscriptionConfiguration;
 import org.whispersystems.textsecuregcm.configuration.TestDeviceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.TurnConfiguration;
 import org.whispersystems.textsecuregcm.configuration.TwilioConfiguration;
@@ -39,16 +58,24 @@ import org.whispersystems.textsecuregcm.configuration.VoiceVerificationConfigura
 import org.whispersystems.textsecuregcm.configuration.ZkConfig;
 import org.whispersystems.websocket.configuration.WebSocketConfiguration;
 
-import javax.validation.Valid;
-import javax.validation.constraints.NotNull;
-import java.util.HashMap;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-
 /** @noinspection MismatchedQueryAndUpdateOfCollection, WeakerAccess */
 public class WhisperServerConfiguration extends Configuration {
 
+  @NotNull
+  @Valid
+  @JsonProperty
+  private StripeConfiguration stripe;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private DynamoDbClientConfiguration dynamoDbClientConfiguration;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private DynamoDbTables dynamoDbTables;
+
   @NotNull
   @Valid
   @JsonProperty
@@ -77,7 +104,7 @@ public class WhisperServerConfiguration extends Configuration {
   @NotNull
   @Valid
   @JsonProperty
-  private MicrometerConfiguration micrometer;
+  private DatadogConfiguration datadog;
 
   @NotNull
   @Valid
@@ -99,6 +126,11 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private DirectoryConfiguration directory;
 
+  @NotNull
+  @Valid
+  @JsonProperty
+  private DirectoryV2Configuration directoryV2;
+
   @NotNull
   @Valid
   @JsonProperty
@@ -109,6 +141,11 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private RedisClusterConfiguration pushSchedulerCluster;
 
+  @NotNull
+  @Valid
+  @JsonProperty
+  private RedisClusterConfiguration rateLimitersCluster;
+
   @NotNull
   @Valid
   @JsonProperty
@@ -129,6 +166,51 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private DynamoDbConfiguration keysDynamoDb;
 
+  @Valid
+  @NotNull
+  @JsonProperty
+  private AccountsDynamoDbConfiguration accountsDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration phoneNumberIdentifiersDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DeletedAccountsDynamoDbConfiguration deletedAccountsDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration deletedAccountsLockDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration pushChallengeDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration reportMessageDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration pendingAccountsDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration pendingDevicesDynamoDb;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DynamoDbConfiguration reservedUsernamesDynamoDb;
+
   @Valid
   @NotNull
   @JsonProperty
@@ -194,6 +276,11 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private RecaptchaConfiguration recaptcha;
 
+  @Valid
+  @NotNull
+  @JsonProperty
+  private RecaptchaV2Configuration recaptchaV2;
+
   @Valid
   @NotNull
   @JsonProperty
@@ -224,12 +311,57 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private AppConfigConfiguration appConfig;
 
+  @Valid
+  @NotNull
+  @JsonProperty
+  private DonationConfiguration donation;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private BadgesConfiguration badges;
+
+  @Valid
+  @JsonProperty
+  @NotNull
+  private SubscriptionConfiguration subscription;
+
+  @Valid
+  @JsonProperty
+  @NotNull
+  private BoostConfiguration boost;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private ReportMessageConfiguration reportMessage = new ReportMessageConfiguration();
+
+  @Valid
+  @JsonProperty
+  private AbusiveMessageFilterConfiguration abusiveMessageFilter;
+
   private Map<String, String> transparentDataIndex = new HashMap<>();
 
+  public StripeConfiguration getStripe() {
+    return stripe;
+  }
+
+  public DynamoDbClientConfiguration getDynamoDbClientConfiguration() {
+    return dynamoDbClientConfiguration;
+  }
+
+  public DynamoDbTables getDynamoDbTables() {
+    return dynamoDbTables;
+  }
+
   public RecaptchaConfiguration getRecaptchaConfiguration() {
     return recaptcha;
   }
 
+  public RecaptchaV2Configuration getRecaptchaV2Configuration() {
+    return recaptchaV2;
+  }
+
   public VoiceVerificationConfiguration getVoiceVerificationConfiguration() {
     return voiceVerification;
   }
@@ -274,6 +406,10 @@ public class WhisperServerConfiguration extends Configuration {
     return directory;
   }
 
+  public DirectoryV2Configuration getDirectoryV2Configuration() {
+    return directoryV2;
+  }
+
   public SecureStorageServiceConfiguration getSecureStorageServiceConfiguration() {
     return storageService;
   }
@@ -294,6 +430,10 @@ public class WhisperServerConfiguration extends Configuration {
     return pushSchedulerCluster;
   }
 
+  public RedisClusterConfiguration getRateLimitersCluster() {
+    return rateLimitersCluster;
+  }
+
   public MessageDynamoDbConfiguration getMessageDynamoDbConfiguration() {
     return messageDynamoDb;
   }
@@ -302,6 +442,22 @@ public class WhisperServerConfiguration extends Configuration {
     return keysDynamoDb;
   }
 
+  public AccountsDynamoDbConfiguration getAccountsDynamoDbConfiguration() {
+    return accountsDynamoDb;
+  }
+
+  public DynamoDbConfiguration getPhoneNumberIdentifiersDynamoDbConfiguration() {
+    return phoneNumberIdentifiersDynamoDb;
+  }
+
+  public DeletedAccountsDynamoDbConfiguration getDeletedAccountsDynamoDbConfiguration() {
+    return deletedAccountsDynamoDb;
+  }
+
+  public DynamoDbConfiguration getDeletedAccountsLockDynamoDbConfiguration() {
+    return deletedAccountsLockDynamoDb;
+  }
+
   public DatabaseConfiguration getAbuseDatabaseConfiguration() {
     return abuseDatabase;
   }
@@ -330,8 +486,8 @@ public class WhisperServerConfiguration extends Configuration {
     return cdn;
   }
 
-  public MicrometerConfiguration getMicrometerConfiguration() {
-    return micrometer;
+  public DatadogConfiguration getDatadogConfiguration() {
+    return datadog;
   }
 
   public UnidentifiedDeliveryConfiguration getDeliveryCertificate() {
@@ -383,4 +539,48 @@ public class WhisperServerConfiguration extends Configuration {
   public AppConfigConfiguration getAppConfig() {
     return appConfig;
   }
+
+  public DynamoDbConfiguration getPushChallengeDynamoDbConfiguration() {
+    return pushChallengeDynamoDb;
+  }
+
+  public DynamoDbConfiguration getReportMessageDynamoDbConfiguration() {
+    return reportMessageDynamoDb;
+  }
+
+  public DynamoDbConfiguration getPendingAccountsDynamoDbConfiguration() {
+    return pendingAccountsDynamoDb;
+  }
+
+  public DynamoDbConfiguration getPendingDevicesDynamoDbConfiguration() {
+    return pendingDevicesDynamoDb;
+  }
+
+  public DynamoDbConfiguration getReservedUsernamesDynamoDbConfiguration() {
+    return reservedUsernamesDynamoDb;
+  }
+
+  public DonationConfiguration getDonationConfiguration() {
+    return donation;
+  }
+
+  public BadgesConfiguration getBadges() {
+    return badges;
+  }
+
+  public SubscriptionConfiguration getSubscription() {
+    return subscription;
+  }
+
+  public BoostConfiguration getBoost() {
+    return boost;
+  }
+
+  public ReportMessageConfiguration getReportMessageConfiguration() {
+    return reportMessage;
+  }
+
+  public AbusiveMessageFilterConfiguration getAbusiveMessageFilterConfiguration() {
+    return abusiveMessageFilter;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013-2021 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 package org.whispersystems.textsecuregcm;
@@ -7,15 +7,9 @@ package org.whispersystems.textsecuregcm;
 import static com.codahale.metrics.MetricRegistry.name;
 
 import com.amazonaws.ClientConfiguration;
-import com.amazonaws.auth.AWSCredentials;
-import com.amazonaws.auth.AWSCredentialsProvider;
-import com.amazonaws.auth.AWSStaticCredentialsProvider;
-import com.amazonaws.auth.BasicAWSCredentials;
 import com.amazonaws.auth.InstanceProfileCredentialsProvider;
+import com.amazonaws.services.dynamodbv2.AmazonDynamoDB;
 import com.amazonaws.services.dynamodbv2.AmazonDynamoDBClientBuilder;
-import com.amazonaws.services.dynamodbv2.document.DynamoDB;
-import com.amazonaws.services.s3.AmazonS3;
-import com.amazonaws.services.s3.AmazonS3Client;
 import com.codahale.metrics.SharedMetricRegistries;
 import com.codahale.metrics.jdbi3.strategies.DefaultNameStrategy;
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
@@ -23,6 +17,7 @@ import com.fasterxml.jackson.annotation.PropertyAccessor;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
 import io.dropwizard.Application;
 import io.dropwizard.auth.AuthFilter;
 import io.dropwizard.auth.PolymorphicAuthDynamicFeature;
@@ -35,19 +30,21 @@ import io.dropwizard.jdbi3.JdbiFactory;
 import io.dropwizard.setup.Bootstrap;
 import io.dropwizard.setup.Environment;
 import io.lettuce.core.resource.ClientResources;
-import io.micrometer.core.instrument.Clock;
+import io.micrometer.core.instrument.Meter.Id;
 import io.micrometer.core.instrument.Metrics;
+import io.micrometer.core.instrument.Tags;
+import io.micrometer.core.instrument.config.MeterFilter;
 import io.micrometer.core.instrument.distribution.DistributionStatisticConfig;
-import io.micrometer.wavefront.WavefrontConfig;
-import io.micrometer.wavefront.WavefrontMeterRegistry;
+import io.micrometer.datadog.DatadogMeterRegistry;
 import java.net.http.HttpClient;
-import java.security.Security;
+import java.time.Clock;
 import java.time.Duration;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.List;
 import java.util.Optional;
+import java.util.ServiceLoader;
 import java.util.concurrent.ArrayBlockingQueue;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.ExecutorService;
@@ -56,27 +53,43 @@ import java.util.concurrent.TimeUnit;
 import javax.servlet.DispatcherType;
 import javax.servlet.FilterRegistration;
 import javax.servlet.ServletRegistration;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.eclipse.jetty.servlets.CrossOriginFilter;
+import org.glassfish.jersey.server.ServerProperties;
 import org.jdbi.v3.core.Jdbi;
+import org.signal.i18n.HeaderControlledResourceBundleLookup;
 import org.signal.zkgroup.ServerSecretParams;
 import org.signal.zkgroup.auth.ServerZkAuthOperations;
 import org.signal.zkgroup.profiles.ServerZkProfileOperations;
+import org.signal.zkgroup.receipts.ReceiptCredentialPresentation;
+import org.signal.zkgroup.receipts.ServerZkReceiptOperations;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.whispersystems.dispatch.DispatchManager;
+import org.whispersystems.textsecuregcm.abuse.AbusiveMessageFilter;
+import org.whispersystems.textsecuregcm.abuse.FilterAbusiveMessages;
 import org.whispersystems.textsecuregcm.auth.AccountAuthenticator;
+import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
 import org.whispersystems.textsecuregcm.auth.CertificateGenerator;
-import org.whispersystems.textsecuregcm.auth.DisabledPermittedAccount;
 import org.whispersystems.textsecuregcm.auth.DisabledPermittedAccountAuthenticator;
+import org.whispersystems.textsecuregcm.auth.DisabledPermittedAuthenticatedAccount;
 import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialGenerator;
 import org.whispersystems.textsecuregcm.auth.TurnTokenGenerator;
+import org.whispersystems.textsecuregcm.auth.WebsocketRefreshApplicationEventListener;
+import org.whispersystems.textsecuregcm.badges.ConfiguredProfileBadgeConverter;
+import org.whispersystems.textsecuregcm.badges.ResourceBundleLevelTranslator;
 import org.whispersystems.textsecuregcm.configuration.DirectoryServerConfiguration;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
+import org.whispersystems.textsecuregcm.controllers.AcceptNumericOnlineFlagRequestFilter;
 import org.whispersystems.textsecuregcm.controllers.AccountController;
 import org.whispersystems.textsecuregcm.controllers.AttachmentControllerV1;
 import org.whispersystems.textsecuregcm.controllers.AttachmentControllerV2;
 import org.whispersystems.textsecuregcm.controllers.AttachmentControllerV3;
 import org.whispersystems.textsecuregcm.controllers.CertificateController;
+import org.whispersystems.textsecuregcm.controllers.ChallengeController;
 import org.whispersystems.textsecuregcm.controllers.DeviceController;
 import org.whispersystems.textsecuregcm.controllers.DirectoryController;
+import org.whispersystems.textsecuregcm.controllers.DirectoryV2Controller;
+import org.whispersystems.textsecuregcm.controllers.DonationController;
 import org.whispersystems.textsecuregcm.controllers.KeepAliveController;
 import org.whispersystems.textsecuregcm.controllers.KeysController;
 import org.whispersystems.textsecuregcm.controllers.MessageController;
@@ -87,19 +100,33 @@ import org.whispersystems.textsecuregcm.controllers.RemoteConfigController;
 import org.whispersystems.textsecuregcm.controllers.SecureBackupController;
 import org.whispersystems.textsecuregcm.controllers.SecureStorageController;
 import org.whispersystems.textsecuregcm.controllers.StickerController;
+import org.whispersystems.textsecuregcm.controllers.SubscriptionController;
 import org.whispersystems.textsecuregcm.controllers.VoiceVerificationController;
 import org.whispersystems.textsecuregcm.currency.CurrencyConversionManager;
 import org.whispersystems.textsecuregcm.currency.FixerClient;
 import org.whispersystems.textsecuregcm.currency.FtxClient;
 import org.whispersystems.textsecuregcm.experiment.ExperimentEnrollmentManager;
+import org.whispersystems.textsecuregcm.filters.ContentLengthFilter;
 import org.whispersystems.textsecuregcm.filters.RemoteDeprecationFilter;
 import org.whispersystems.textsecuregcm.filters.TimestampResponseFilter;
+import org.whispersystems.textsecuregcm.limits.PreKeyRateLimiter;
+import org.whispersystems.textsecuregcm.limits.PushChallengeManager;
+import org.whispersystems.textsecuregcm.limits.RateLimitChallengeManager;
+import org.whispersystems.textsecuregcm.limits.RateLimitResetMetricsManager;
 import org.whispersystems.textsecuregcm.limits.RateLimiters;
+import org.whispersystems.textsecuregcm.limits.UnsealedSenderRateLimiter;
 import org.whispersystems.textsecuregcm.liquibase.NameableMigrationsBundle;
+import org.whispersystems.textsecuregcm.mappers.CompletionExceptionMapper;
 import org.whispersystems.textsecuregcm.mappers.DeviceLimitExceededExceptionMapper;
 import org.whispersystems.textsecuregcm.mappers.IOExceptionMapper;
+import org.whispersystems.textsecuregcm.mappers.ImpossiblePhoneNumberExceptionMapper;
 import org.whispersystems.textsecuregcm.mappers.InvalidWebsocketAddressExceptionMapper;
+import org.whispersystems.textsecuregcm.mappers.NonNormalizedPhoneNumberExceptionMapper;
+import org.whispersystems.textsecuregcm.mappers.RateLimitChallengeExceptionMapper;
 import org.whispersystems.textsecuregcm.mappers.RateLimitExceededExceptionMapper;
+import org.whispersystems.textsecuregcm.mappers.RetryLaterExceptionMapper;
+import org.whispersystems.textsecuregcm.mappers.ServerRejectedExceptionMapper;
+import org.whispersystems.textsecuregcm.metrics.ApplicationShutdownMonitor;
 import org.whispersystems.textsecuregcm.metrics.BufferPoolGauges;
 import org.whispersystems.textsecuregcm.metrics.CpuUsageGauge;
 import org.whispersystems.textsecuregcm.metrics.FileDescriptorGauge;
@@ -107,11 +134,13 @@ import org.whispersystems.textsecuregcm.metrics.FreeMemoryGauge;
 import org.whispersystems.textsecuregcm.metrics.GarbageCollectionGauges;
 import org.whispersystems.textsecuregcm.metrics.MaxFileDescriptorGauge;
 import org.whispersystems.textsecuregcm.metrics.MetricsApplicationEventListener;
+import org.whispersystems.textsecuregcm.metrics.MetricsRequestEventListener;
 import org.whispersystems.textsecuregcm.metrics.NetworkReceivedGauge;
 import org.whispersystems.textsecuregcm.metrics.NetworkSentGauge;
 import org.whispersystems.textsecuregcm.metrics.OperatingSystemMemoryGauge;
 import org.whispersystems.textsecuregcm.metrics.PushLatencyManager;
 import org.whispersystems.textsecuregcm.metrics.TrafficSource;
+import org.whispersystems.textsecuregcm.providers.MultiRecipientMessageProvider;
 import org.whispersystems.textsecuregcm.providers.RedisClientFactory;
 import org.whispersystems.textsecuregcm.providers.RedisClusterHealthCheck;
 import org.whispersystems.textsecuregcm.push.APNSender;
@@ -121,77 +150,101 @@ import org.whispersystems.textsecuregcm.push.GCMSender;
 import org.whispersystems.textsecuregcm.push.MessageSender;
 import org.whispersystems.textsecuregcm.push.ProvisioningManager;
 import org.whispersystems.textsecuregcm.push.ReceiptSender;
-import org.whispersystems.textsecuregcm.recaptcha.RecaptchaClient;
+import org.whispersystems.textsecuregcm.recaptcha.EnterpriseRecaptchaClient;
+import org.whispersystems.textsecuregcm.recaptcha.LegacyRecaptchaClient;
+import org.whispersystems.textsecuregcm.recaptcha.TransitionalRecaptchaClient;
 import org.whispersystems.textsecuregcm.redis.ConnectionEventLogger;
 import org.whispersystems.textsecuregcm.redis.FaultTolerantRedisCluster;
 import org.whispersystems.textsecuregcm.redis.ReplicatedJedisPool;
 import org.whispersystems.textsecuregcm.s3.PolicySigner;
 import org.whispersystems.textsecuregcm.s3.PostPolicyGenerator;
+import org.whispersystems.textsecuregcm.securebackup.SecureBackupClient;
+import org.whispersystems.textsecuregcm.securestorage.SecureStorageClient;
 import org.whispersystems.textsecuregcm.sms.SmsSender;
 import org.whispersystems.textsecuregcm.sms.TwilioSmsSender;
+import org.whispersystems.textsecuregcm.sms.TwilioVerifyExperimentEnrollmentManager;
 import org.whispersystems.textsecuregcm.sqs.DirectoryQueue;
 import org.whispersystems.textsecuregcm.storage.AbusiveHostRules;
-import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.AccountCleaner;
 import org.whispersystems.textsecuregcm.storage.AccountDatabaseCrawler;
 import org.whispersystems.textsecuregcm.storage.AccountDatabaseCrawlerCache;
 import org.whispersystems.textsecuregcm.storage.AccountDatabaseCrawlerListener;
 import org.whispersystems.textsecuregcm.storage.Accounts;
 import org.whispersystems.textsecuregcm.storage.AccountsManager;
-import org.whispersystems.textsecuregcm.storage.ActiveUserCounter;
+import org.whispersystems.textsecuregcm.storage.ContactDiscoveryWriter;
+import org.whispersystems.textsecuregcm.storage.DeletedAccounts;
+import org.whispersystems.textsecuregcm.storage.DeletedAccountsDirectoryReconciler;
+import org.whispersystems.textsecuregcm.storage.DeletedAccountsManager;
+import org.whispersystems.textsecuregcm.storage.DeletedAccountsTableCrawler;
 import org.whispersystems.textsecuregcm.storage.DirectoryReconciler;
 import org.whispersystems.textsecuregcm.storage.DirectoryReconciliationClient;
 import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
 import org.whispersystems.textsecuregcm.storage.FaultTolerantDatabase;
-import org.whispersystems.textsecuregcm.storage.KeysDynamoDb;
+import org.whispersystems.textsecuregcm.storage.IssuedReceiptsManager;
+import org.whispersystems.textsecuregcm.storage.Keys;
 import org.whispersystems.textsecuregcm.storage.MessagePersister;
 import org.whispersystems.textsecuregcm.storage.MessagesCache;
 import org.whispersystems.textsecuregcm.storage.MessagesDynamoDb;
 import org.whispersystems.textsecuregcm.storage.MessagesManager;
-import org.whispersystems.textsecuregcm.storage.PendingAccounts;
-import org.whispersystems.textsecuregcm.storage.PendingAccountsManager;
-import org.whispersystems.textsecuregcm.storage.PendingDevices;
-import org.whispersystems.textsecuregcm.storage.PendingDevicesManager;
+import org.whispersystems.textsecuregcm.storage.NonNormalizedAccountCrawlerListener;
+import org.whispersystems.textsecuregcm.storage.PhoneNumberIdentifiers;
 import org.whispersystems.textsecuregcm.storage.Profiles;
 import org.whispersystems.textsecuregcm.storage.ProfilesManager;
 import org.whispersystems.textsecuregcm.storage.PubSubManager;
+import org.whispersystems.textsecuregcm.storage.PushChallengeDynamoDb;
 import org.whispersystems.textsecuregcm.storage.PushFeedbackProcessor;
-import org.whispersystems.textsecuregcm.storage.RegistrationLockVersionCounter;
+import org.whispersystems.textsecuregcm.storage.RedeemedReceiptsManager;
 import org.whispersystems.textsecuregcm.storage.RemoteConfigs;
 import org.whispersystems.textsecuregcm.storage.RemoteConfigsManager;
+import org.whispersystems.textsecuregcm.storage.ReportMessageDynamoDb;
+import org.whispersystems.textsecuregcm.storage.ReportMessageManager;
 import org.whispersystems.textsecuregcm.storage.ReservedUsernames;
+import org.whispersystems.textsecuregcm.storage.StoredVerificationCodeManager;
+import org.whispersystems.textsecuregcm.storage.SubscriptionManager;
 import org.whispersystems.textsecuregcm.storage.Usernames;
 import org.whispersystems.textsecuregcm.storage.UsernamesManager;
+import org.whispersystems.textsecuregcm.storage.VerificationCodeStore;
+import org.whispersystems.textsecuregcm.stripe.StripeManager;
 import org.whispersystems.textsecuregcm.util.Constants;
+import org.whispersystems.textsecuregcm.util.DynamoDbFromConfig;
+import org.whispersystems.textsecuregcm.util.HostnameUtil;
+import org.whispersystems.textsecuregcm.util.logging.LoggingUnhandledExceptionMapper;
+import org.whispersystems.textsecuregcm.util.logging.UncaughtExceptionHandler;
 import org.whispersystems.textsecuregcm.websocket.AuthenticatedConnectListener;
 import org.whispersystems.textsecuregcm.websocket.DeadLetterHandler;
 import org.whispersystems.textsecuregcm.websocket.ProvisioningConnectListener;
 import org.whispersystems.textsecuregcm.websocket.WebSocketAccountAuthenticator;
 import org.whispersystems.textsecuregcm.workers.CertificateCommand;
+import org.whispersystems.textsecuregcm.workers.CheckDynamicConfigurationCommand;
 import org.whispersystems.textsecuregcm.workers.DeleteUserCommand;
-import org.whispersystems.textsecuregcm.workers.GetRedisCommandStatsCommand;
-import org.whispersystems.textsecuregcm.workers.GetRedisSlowlogCommand;
+import org.whispersystems.textsecuregcm.workers.ReserveUsernameCommand;
+import org.whispersystems.textsecuregcm.workers.ServerVersionCommand;
 import org.whispersystems.textsecuregcm.workers.SetCrawlerAccelerationTask;
 import org.whispersystems.textsecuregcm.workers.SetRequestLoggingEnabledTask;
-import org.whispersystems.textsecuregcm.workers.VacuumCommand;
+import org.whispersystems.textsecuregcm.workers.SetUserDiscoverabilityCommand;
 import org.whispersystems.textsecuregcm.workers.ZkParamsCommand;
 import org.whispersystems.websocket.WebSocketResourceProviderFactory;
 import org.whispersystems.websocket.setup.WebSocketEnvironment;
+import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
+import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.services.dynamodb.DynamoDbAsyncClient;
+import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
+import software.amazon.awssdk.services.s3.S3Client;
 
 public class WhisperServerService extends Application<WhisperServerConfiguration> {
 
-  static {
-    Security.addProvider(new BouncyCastleProvider());
-  }
+  private static final Logger log = LoggerFactory.getLogger(WhisperServerService.class);
 
   @Override
   public void initialize(Bootstrap<WhisperServerConfiguration> bootstrap) {
-    bootstrap.addCommand(new VacuumCommand());
     bootstrap.addCommand(new DeleteUserCommand());
     bootstrap.addCommand(new CertificateCommand());
     bootstrap.addCommand(new ZkParamsCommand());
-    bootstrap.addCommand(new GetRedisSlowlogCommand());
-    bootstrap.addCommand(new GetRedisCommandStatsCommand());
+    bootstrap.addCommand(new ServerVersionCommand());
+    bootstrap.addCommand(new CheckDynamicConfigurationCommand());
+    bootstrap.addCommand(new SetUserDiscoverabilityCommand());
+    bootstrap.addCommand(new ReserveUsernameCommand());
 
     bootstrap.addBundle(new NameableMigrationsBundle<WhisperServerConfiguration>("accountdb", "accountsdb.xml") {
       @Override
@@ -200,7 +253,6 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
       }
     });
 
-
     bootstrap.addBundle(new NameableMigrationsBundle<WhisperServerConfiguration>("abusedb", "abusedb.xml") {
       @Override
       public PooledDataSourceFactory getDataSourceFactory(WhisperServerConfiguration configuration) {
@@ -215,40 +267,53 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
   }
 
   @Override
-  public void run(WhisperServerConfiguration config, Environment environment)
-      throws Exception
-  {
+  public void run(WhisperServerConfiguration config, Environment environment) throws Exception {
+    final Clock clock = Clock.systemUTC();
+    final int availableProcessors = Runtime.getRuntime().availableProcessors();
+
+    UncaughtExceptionHandler.register();
+
     SharedMetricRegistries.add(Constants.METRICS_NAME, environment.metrics());
 
-    Metrics.addRegistry(new WavefrontMeterRegistry(new WavefrontConfig() {
-      @Override
-      public String get(final String key) {
-        return null;
-      }
+    final DistributionStatisticConfig defaultDistributionStatisticConfig = DistributionStatisticConfig.builder()
+        .percentiles(.75, .95, .99, .999)
+        .build();
 
-      @Override
-      public String uri() {
-        return config.getMicrometerConfiguration().getUri();
-      }
+    {
+      final DatadogMeterRegistry datadogMeterRegistry = new DatadogMeterRegistry(
+          config.getDatadogConfiguration(), io.micrometer.core.instrument.Clock.SYSTEM);
 
-      @Override
-      public int batchSize() {
-        return config.getMicrometerConfiguration().getBatchSize();
-      }
-    }, Clock.SYSTEM) {
-      @Override
-      protected DistributionStatisticConfig defaultHistogramConfig() {
-        return DistributionStatisticConfig.builder()
-                .percentiles(.75, .95, .99, .999)
-                .build()
-                .merge(super.defaultHistogramConfig());
-      }
-    });
+      datadogMeterRegistry.config().commonTags(
+          Tags.of(
+              "service", "chat",
+              "host", HostnameUtil.getLocalHostname(),
+              "version", WhisperServerVersion.getServerVersion(),
+              "env", config.getDatadogConfiguration().getEnvironment()))
+          .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.REQUEST_COUNTER_NAME))
+          .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.ANDROID_REQUEST_COUNTER_NAME))
+          .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.DESKTOP_REQUEST_COUNTER_NAME))
+          .meterFilter(MeterFilter.denyNameStartsWith(MetricsRequestEventListener.IOS_REQUEST_COUNTER_NAME))
+          .meterFilter(new MeterFilter() {
+            @Override
+            public DistributionStatisticConfig configure(final Id id, final DistributionStatisticConfig config) {
+              return defaultDistributionStatisticConfig.merge(config);
+            }
+          });
+
+      Metrics.addRegistry(datadogMeterRegistry);
+    }
 
     environment.getObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
     environment.getObjectMapper().setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.NONE);
     environment.getObjectMapper().setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
 
+    HeaderControlledResourceBundleLookup headerControlledResourceBundleLookup =
+        new HeaderControlledResourceBundleLookup();
+    ConfiguredProfileBadgeConverter profileBadgeConverter = new ConfiguredProfileBadgeConverter(
+        clock, config.getBadges(), headerControlledResourceBundleLookup);
+    ResourceBundleLevelTranslator resourceBundleLevelTranslator = new ResourceBundleLevelTranslator(
+        headerControlledResourceBundleLookup);
+
     JdbiFactory jdbiFactory = new JdbiFactory(DefaultNameStrategy.CHECK_EMPTY);
     Jdbi        accountJdbi = jdbiFactory.build(environment, config.getAccountsDatabaseConfiguration(), "accountdb");
     Jdbi        abuseJdbi   = jdbiFactory.build(environment, config.getAbuseDatabaseConfiguration(), "abusedb"  );
@@ -256,202 +321,406 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     FaultTolerantDatabase accountDatabase = new FaultTolerantDatabase("accounts_database", accountJdbi, config.getAccountsDatabaseConfiguration().getCircuitBreakerConfiguration());
     FaultTolerantDatabase abuseDatabase   = new FaultTolerantDatabase("abuse_database", abuseJdbi, config.getAbuseDatabaseConfiguration().getCircuitBreakerConfiguration());
 
-    AmazonDynamoDBClientBuilder messageDynamoDbClientBuilder = AmazonDynamoDBClientBuilder
-            .standard()
-            .withRegion(config.getMessageDynamoDbConfiguration().getRegion())
-            .withClientConfiguration(new ClientConfiguration().withClientExecutionTimeout(((int) config.getMessageDynamoDbConfiguration().getClientExecutionTimeout().toMillis()))
-                                                              .withRequestTimeout((int) config.getMessageDynamoDbConfiguration().getClientRequestTimeout().toMillis()))
-            .withCredentials(InstanceProfileCredentialsProvider.getInstance());
+    DynamoDbAsyncClient dynamoDbAsyncClient = DynamoDbFromConfig.asyncClient(
+        config.getDynamoDbClientConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
 
-    AmazonDynamoDBClientBuilder keysDynamoDbClientBuilder = AmazonDynamoDBClientBuilder
-            .standard()
-            .withRegion(config.getKeysDynamoDbConfiguration().getRegion())
-            .withClientConfiguration(new ClientConfiguration().withClientExecutionTimeout(((int) config.getKeysDynamoDbConfiguration().getClientExecutionTimeout().toMillis()))
-                                                              .withRequestTimeout((int) config.getKeysDynamoDbConfiguration().getClientRequestTimeout().toMillis()))
-            .withCredentials(InstanceProfileCredentialsProvider.getInstance());
+    DynamoDbClient messageDynamoDb = DynamoDbFromConfig.client(config.getMessageDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
 
-    DynamoDB messageDynamoDb = new DynamoDB(messageDynamoDbClientBuilder.build());
-    DynamoDB preKeyDynamoDb = new DynamoDB(keysDynamoDbClientBuilder.build());
+    DynamoDbClient preKeyDynamoDb = DynamoDbFromConfig.client(config.getKeysDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
 
-    Accounts          accounts          = new Accounts(accountDatabase);
-    PendingAccounts   pendingAccounts   = new PendingAccounts(accountDatabase);
-    PendingDevices    pendingDevices    = new PendingDevices (accountDatabase);
-    Usernames         usernames         = new Usernames(accountDatabase);
-    ReservedUsernames reservedUsernames = new ReservedUsernames(accountDatabase);
-    Profiles          profiles          = new Profiles(accountDatabase);
-    KeysDynamoDb      keysDynamoDb      = new KeysDynamoDb(preKeyDynamoDb, config.getKeysDynamoDbConfiguration().getTableName());
-    MessagesDynamoDb  messagesDynamoDb  = new MessagesDynamoDb(messageDynamoDb, config.getMessageDynamoDbConfiguration().getTableName(), config.getMessageDynamoDbConfiguration().getTimeToLive());
-    AbusiveHostRules  abusiveHostRules  = new AbusiveHostRules(abuseDatabase);
-    RemoteConfigs     remoteConfigs     = new RemoteConfigs(accountDatabase);
+    DynamoDbClient accountsDynamoDbClient = DynamoDbFromConfig.client(config.getAccountsDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient reservedUsernamesDynamoDbClient = DynamoDbFromConfig.client(config.getReservedUsernamesDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient phoneNumberIdentifiersDynamoDbClient =
+        DynamoDbFromConfig.client(config.getPhoneNumberIdentifiersDynamoDbConfiguration(),
+            software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient deletedAccountsDynamoDbClient = DynamoDbFromConfig.client(config.getDeletedAccountsDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient pushChallengeDynamoDbClient = DynamoDbFromConfig.client(
+        config.getPushChallengeDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient reportMessageDynamoDbClient = DynamoDbFromConfig.client(
+        config.getReportMessageDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient pendingAccountsDynamoDbClient = DynamoDbFromConfig.client(
+        config.getPendingAccountsDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    DynamoDbClient pendingDevicesDynamoDbClient = DynamoDbFromConfig.client(
+        config.getPendingDevicesDynamoDbConfiguration(),
+        software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider.create());
+
+    AmazonDynamoDB deletedAccountsLockDynamoDbClient = AmazonDynamoDBClientBuilder.standard()
+        .withRegion(config.getDeletedAccountsLockDynamoDbConfiguration().getRegion())
+        .withClientConfiguration(new ClientConfiguration().withClientExecutionTimeout(
+                ((int) config.getDeletedAccountsLockDynamoDbConfiguration().getClientExecutionTimeout().toMillis()))
+            .withRequestTimeout(
+                (int) config.getDeletedAccountsLockDynamoDbConfiguration().getClientRequestTimeout().toMillis()))
+        .withCredentials(InstanceProfileCredentialsProvider.getInstance())
+        .build();
+
+    DeletedAccounts deletedAccounts = new DeletedAccounts(deletedAccountsDynamoDbClient,
+        config.getDeletedAccountsDynamoDbConfiguration().getTableName(),
+        config.getDeletedAccountsDynamoDbConfiguration().getNeedsReconciliationIndexName());
+
+    Accounts accounts = new Accounts(accountsDynamoDbClient,
+        config.getAccountsDynamoDbConfiguration().getTableName(),
+        config.getAccountsDynamoDbConfiguration().getPhoneNumberTableName(),
+        config.getAccountsDynamoDbConfiguration().getPhoneNumberIdentifierTableName(),
+        config.getAccountsDynamoDbConfiguration().getScanPageSize());
+    PhoneNumberIdentifiers phoneNumberIdentifiers = new PhoneNumberIdentifiers(phoneNumberIdentifiersDynamoDbClient,
+        config.getPhoneNumberIdentifiersDynamoDbConfiguration().getTableName());
+    Usernames usernames = new Usernames(accountDatabase);
+    ReservedUsernames reservedUsernames = new ReservedUsernames(reservedUsernamesDynamoDbClient,
+        config.getReservedUsernamesDynamoDbConfiguration().getTableName());
+    Profiles profiles = new Profiles(accountDatabase);
+    Keys keys = new Keys(preKeyDynamoDb, config.getKeysDynamoDbConfiguration().getTableName());
+    MessagesDynamoDb messagesDynamoDb = new MessagesDynamoDb(messageDynamoDb,
+        config.getMessageDynamoDbConfiguration().getTableName(),
+        config.getMessageDynamoDbConfiguration().getTimeToLive());
+    AbusiveHostRules abusiveHostRules = new AbusiveHostRules(abuseDatabase);
+    RemoteConfigs remoteConfigs = new RemoteConfigs(accountDatabase);
+    PushChallengeDynamoDb pushChallengeDynamoDb = new PushChallengeDynamoDb(pushChallengeDynamoDbClient, config.getPushChallengeDynamoDbConfiguration().getTableName());
+    ReportMessageDynamoDb reportMessageDynamoDb = new ReportMessageDynamoDb(reportMessageDynamoDbClient, config.getReportMessageDynamoDbConfiguration().getTableName(), config.getReportMessageConfiguration().getReportTtl());
+    VerificationCodeStore pendingAccounts = new VerificationCodeStore(pendingAccountsDynamoDbClient, config.getPendingAccountsDynamoDbConfiguration().getTableName());
+    VerificationCodeStore pendingDevices = new VerificationCodeStore(pendingDevicesDynamoDbClient, config.getPendingDevicesDynamoDbConfiguration().getTableName());
 
     RedisClientFactory  pubSubClientFactory = new RedisClientFactory("pubsub_cache", config.getPubsubCacheConfiguration().getUrl(), config.getPubsubCacheConfiguration().getReplicaUrls(), config.getPubsubCacheConfiguration().getCircuitBreakerConfiguration());
     ReplicatedJedisPool pubsubClient        = pubSubClientFactory.getRedisClientPool();
 
-    ClientResources generalCacheClientResources       = ClientResources.builder().build();
-    ClientResources messageCacheClientResources       = ClientResources.builder().build();
-    ClientResources presenceClientResources           = ClientResources.builder().build();
-    ClientResources metricsCacheClientResources       = ClientResources.builder().build();
-    ClientResources pushSchedulerCacheClientResources = ClientResources.builder().ioThreadPoolSize(4).build();
+    ClientResources redisClientResources = ClientResources.builder().build();
+    ConnectionEventLogger.logConnectionEvents(redisClientResources);
 
-    ConnectionEventLogger.logConnectionEvents(generalCacheClientResources);
-    ConnectionEventLogger.logConnectionEvents(messageCacheClientResources);
-    ConnectionEventLogger.logConnectionEvents(presenceClientResources);
-    ConnectionEventLogger.logConnectionEvents(metricsCacheClientResources);
-
-    FaultTolerantRedisCluster cacheCluster             = new FaultTolerantRedisCluster("main_cache_cluster", config.getCacheClusterConfiguration(), generalCacheClientResources);
-    FaultTolerantRedisCluster messagesCluster          = new FaultTolerantRedisCluster("message_insert_cluster", config.getMessageCacheConfiguration().getRedisClusterConfiguration(), messageCacheClientResources);
-    FaultTolerantRedisCluster clientPresenceCluster    = new FaultTolerantRedisCluster("client_presence_cluster", config.getClientPresenceClusterConfiguration(), presenceClientResources);
-    FaultTolerantRedisCluster metricsCluster           = new FaultTolerantRedisCluster("metrics_cluster", config.getMetricsClusterConfiguration(), metricsCacheClientResources);
-    FaultTolerantRedisCluster pushSchedulerCluster     = new FaultTolerantRedisCluster("push_scheduler", config.getPushSchedulerCluster(), pushSchedulerCacheClientResources);
+    FaultTolerantRedisCluster cacheCluster             = new FaultTolerantRedisCluster("main_cache_cluster", config.getCacheClusterConfiguration(), redisClientResources);
+    FaultTolerantRedisCluster messagesCluster          = new FaultTolerantRedisCluster("messages_cluster", config.getMessageCacheConfiguration().getRedisClusterConfiguration(), redisClientResources);
+    FaultTolerantRedisCluster clientPresenceCluster    = new FaultTolerantRedisCluster("client_presence_cluster", config.getClientPresenceClusterConfiguration(), redisClientResources);
+    FaultTolerantRedisCluster metricsCluster           = new FaultTolerantRedisCluster("metrics_cluster", config.getMetricsClusterConfiguration(), redisClientResources);
+    FaultTolerantRedisCluster pushSchedulerCluster     = new FaultTolerantRedisCluster("push_scheduler", config.getPushSchedulerCluster(), redisClientResources);
+    FaultTolerantRedisCluster rateLimitersCluster      = new FaultTolerantRedisCluster("rate_limiters", config.getRateLimitersCluster(), redisClientResources);
 
     BlockingQueue<Runnable> keyspaceNotificationDispatchQueue = new ArrayBlockingQueue<>(10_000);
     Metrics.gaugeCollectionSize(name(getClass(), "keyspaceNotificationDispatchQueueSize"), Collections.emptyList(), keyspaceNotificationDispatchQueue);
 
-    ScheduledExecutorService recurringJobExecutor                 = environment.lifecycle().scheduledExecutorService(name(getClass(), "recurringJob-%d")).threads(2).build();
+    ScheduledExecutorService recurringJobExecutor = environment.lifecycle()
+        .scheduledExecutorService(name(getClass(), "recurringJob-%d")).threads(6).build();
+    ScheduledExecutorService retrySchedulingExecutor              = environment.lifecycle().scheduledExecutorService(name(getClass(), "retry-%d")).threads(2).build();
     ExecutorService          keyspaceNotificationDispatchExecutor = environment.lifecycle().executorService(name(getClass(), "keyspaceNotification-%d")).maxThreads(16).workQueue(keyspaceNotificationDispatchQueue).build();
     ExecutorService          apnSenderExecutor                    = environment.lifecycle().executorService(name(getClass(), "apnSender-%d")).maxThreads(1).minThreads(1).build();
     ExecutorService          gcmSenderExecutor                    = environment.lifecycle().executorService(name(getClass(), "gcmSender-%d")).maxThreads(1).minThreads(1).build();
+    ExecutorService          backupServiceExecutor                = environment.lifecycle().executorService(name(getClass(), "backupService-%d")).maxThreads(1).minThreads(1).build();
+    ExecutorService          storageServiceExecutor               = environment.lifecycle().executorService(name(getClass(), "storageService-%d")).maxThreads(1).minThreads(1).build();
+    ExecutorService multiRecipientMessageExecutor = environment.lifecycle()
+        .executorService(name(getClass(), "multiRecipientMessage-%d")).minThreads(64).maxThreads(64).build();
+    ExecutorService stripeExecutor = environment.lifecycle().executorService(name(getClass(), "stripe-%d")).
+        maxThreads(availableProcessors).  // mostly this is IO bound so tying to number of processors is tenuous at best
+        minThreads(availableProcessors).  // mostly this is IO bound so tying to number of processors is tenuous at best
+        allowCoreThreadTimeOut(true).
+        build();
+
+    StripeManager stripeManager = new StripeManager(config.getStripe().getApiKey(), stripeExecutor,
+        config.getStripe().getIdempotencyKeyGenerator(), config.getStripe().getBoostDescription());
+
+    ExternalServiceCredentialGenerator directoryCredentialsGenerator = new ExternalServiceCredentialGenerator(
+        config.getDirectoryConfiguration().getDirectoryClientConfiguration().getUserAuthenticationTokenSharedSecret(),
+        config.getDirectoryConfiguration().getDirectoryClientConfiguration().getUserAuthenticationTokenUserIdSecret());
+    ExternalServiceCredentialGenerator directoryV2CredentialsGenerator = new ExternalServiceCredentialGenerator(
+        config.getDirectoryV2Configuration().getDirectoryV2ClientConfiguration()
+            .getUserAuthenticationTokenSharedSecret(), false);
+
+    DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager =
+        new DynamicConfigurationManager<>(config.getAppConfig().getApplication(),
+            config.getAppConfig().getEnvironment(),
+            config.getAppConfig().getConfigurationName(),
+            DynamicConfiguration.class);
 
-    DynamicConfigurationManager dynamicConfigurationManager = new DynamicConfigurationManager(config.getAppConfig().getApplication(), config.getAppConfig().getEnvironment(), config.getAppConfig().getConfigurationName());
     dynamicConfigurationManager.start();
 
     ExperimentEnrollmentManager experimentEnrollmentManager = new ExperimentEnrollmentManager(dynamicConfigurationManager);
 
+    TwilioVerifyExperimentEnrollmentManager verifyExperimentEnrollmentManager = new TwilioVerifyExperimentEnrollmentManager(
+        config.getVoiceVerificationConfiguration(), experimentEnrollmentManager);
+
+    ExternalServiceCredentialGenerator storageCredentialsGenerator = new ExternalServiceCredentialGenerator(
+        config.getSecureStorageServiceConfiguration().getUserAuthenticationTokenSharedSecret(), true);
+    ExternalServiceCredentialGenerator backupCredentialsGenerator = new ExternalServiceCredentialGenerator(
+        config.getSecureBackupServiceConfiguration().getUserAuthenticationTokenSharedSecret(), true);
+    ExternalServiceCredentialGenerator paymentsCredentialsGenerator = new ExternalServiceCredentialGenerator(
+        config.getPaymentsServiceConfiguration().getUserAuthenticationTokenSharedSecret(), true);
+
+    SecureBackupClient         secureBackupClient         = new SecureBackupClient(backupCredentialsGenerator, backupServiceExecutor, config.getSecureBackupServiceConfiguration());
+    SecureStorageClient        secureStorageClient        = new SecureStorageClient(storageCredentialsGenerator, storageServiceExecutor, config.getSecureStorageServiceConfiguration());
     ClientPresenceManager      clientPresenceManager      = new ClientPresenceManager(clientPresenceCluster, recurringJobExecutor, keyspaceNotificationDispatchExecutor);
     DirectoryQueue             directoryQueue             = new DirectoryQueue(config.getDirectoryConfiguration().getSqsConfiguration());
-    PendingAccountsManager     pendingAccountsManager     = new PendingAccountsManager(pendingAccounts, cacheCluster);
-    PendingDevicesManager      pendingDevicesManager      = new PendingDevicesManager(pendingDevices, cacheCluster);
+    StoredVerificationCodeManager pendingAccountsManager  = new StoredVerificationCodeManager(pendingAccounts);
+    StoredVerificationCodeManager pendingDevicesManager   = new StoredVerificationCodeManager(pendingDevices);
     UsernamesManager           usernamesManager           = new UsernamesManager(usernames, reservedUsernames, cacheCluster);
     ProfilesManager            profilesManager            = new ProfilesManager(profiles, cacheCluster);
     MessagesCache              messagesCache              = new MessagesCache(messagesCluster, messagesCluster, keyspaceNotificationDispatchExecutor);
-    PushLatencyManager         pushLatencyManager         = new PushLatencyManager(metricsCluster);
-    MessagesManager            messagesManager            = new MessagesManager(messagesDynamoDb, messagesCache, pushLatencyManager);
-    AccountsManager            accountsManager            = new AccountsManager(accounts, cacheCluster, directoryQueue, keysDynamoDb, messagesManager, usernamesManager, profilesManager);
-    RemoteConfigsManager       remoteConfigsManager       = new RemoteConfigsManager(remoteConfigs);
+    PushLatencyManager         pushLatencyManager         = new PushLatencyManager(metricsCluster, dynamicConfigurationManager);
+    ReportMessageManager       reportMessageManager       = new ReportMessageManager(reportMessageDynamoDb, rateLimitersCluster, Metrics.globalRegistry, config.getReportMessageConfiguration().getCounterTtl());
+    MessagesManager            messagesManager            = new MessagesManager(messagesDynamoDb, messagesCache, pushLatencyManager, reportMessageManager);
+    DeletedAccountsManager deletedAccountsManager = new DeletedAccountsManager(deletedAccounts,
+        deletedAccountsLockDynamoDbClient, config.getDeletedAccountsLockDynamoDbConfiguration().getTableName());
+    AccountsManager accountsManager = new AccountsManager(accounts, phoneNumberIdentifiers, cacheCluster,
+        deletedAccountsManager, directoryQueue, keys, messagesManager, usernamesManager, profilesManager,
+        pendingAccountsManager, secureStorageClient, secureBackupClient, clientPresenceManager, clock);
+    RemoteConfigsManager remoteConfigsManager = new RemoteConfigsManager(remoteConfigs);
     DeadLetterHandler          deadLetterHandler          = new DeadLetterHandler(accountsManager, messagesManager);
     DispatchManager            dispatchManager            = new DispatchManager(pubSubClientFactory, Optional.of(deadLetterHandler));
     PubSubManager              pubSubManager              = new PubSubManager(pubsubClient, dispatchManager);
     APNSender                  apnSender                  = new APNSender(apnSenderExecutor, accountsManager, config.getApnConfiguration());
     GCMSender                  gcmSender                  = new GCMSender(gcmSenderExecutor, accountsManager, config.getGcmConfiguration().getApiKey());
-    RateLimiters               rateLimiters               = new RateLimiters(config.getLimitsConfiguration(), dynamicConfigurationManager, cacheCluster);
+    RateLimiters               rateLimiters               = new RateLimiters(config.getLimitsConfiguration(), dynamicConfigurationManager, rateLimitersCluster);
     ProvisioningManager        provisioningManager        = new ProvisioningManager(pubSubManager);
+    IssuedReceiptsManager issuedReceiptsManager = new IssuedReceiptsManager(
+        config.getDynamoDbTables().getIssuedReceipts().getTableName(),
+        config.getDynamoDbTables().getIssuedReceipts().getExpiration(),
+        dynamoDbAsyncClient,
+        config.getDynamoDbTables().getIssuedReceipts().getGenerator());
+    RedeemedReceiptsManager redeemedReceiptsManager = new RedeemedReceiptsManager(
+        clock,
+        config.getDynamoDbTables().getRedeemedReceipts().getTableName(),
+        dynamoDbAsyncClient,
+        config.getDynamoDbTables().getRedeemedReceipts().getExpiration());
+    SubscriptionManager subscriptionManager = new SubscriptionManager(
+        config.getDynamoDbTables().getSubscriptions().getTableName(), dynamoDbAsyncClient);
 
     AccountAuthenticator                  accountAuthenticator                  = new AccountAuthenticator(accountsManager);
     DisabledPermittedAccountAuthenticator disabledPermittedAccountAuthenticator = new DisabledPermittedAccountAuthenticator(accountsManager);
 
-    ExternalServiceCredentialGenerator directoryCredentialsGenerator = new ExternalServiceCredentialGenerator(config.getDirectoryConfiguration().getDirectoryClientConfiguration().getUserAuthenticationTokenSharedSecret(),
-                                                                                                              config.getDirectoryConfiguration().getDirectoryClientConfiguration().getUserAuthenticationTokenUserIdSecret(),
-                                                                                                              true);
+    RateLimitResetMetricsManager rateLimitResetMetricsManager = new RateLimitResetMetricsManager(metricsCluster, Metrics.globalRegistry);
 
-    ExternalServiceCredentialGenerator storageCredentialsGenerator   = new ExternalServiceCredentialGenerator(config.getSecureStorageServiceConfiguration().getUserAuthenticationTokenSharedSecret(), new byte[0], false);
-    ExternalServiceCredentialGenerator backupCredentialsGenerator    = new ExternalServiceCredentialGenerator(config.getSecureBackupServiceConfiguration().getUserAuthenticationTokenSharedSecret(), new byte[0], false);
-    ExternalServiceCredentialGenerator paymentsCredentialsGenerator  = new ExternalServiceCredentialGenerator(config.getPaymentsServiceConfiguration().getUserAuthenticationTokenSharedSecret(), new byte[0], false);
+    UnsealedSenderRateLimiter unsealedSenderRateLimiter = new UnsealedSenderRateLimiter(rateLimiters, rateLimitersCluster, dynamicConfigurationManager, rateLimitResetMetricsManager);
+    PreKeyRateLimiter preKeyRateLimiter = new PreKeyRateLimiter(rateLimiters, dynamicConfigurationManager, rateLimitResetMetricsManager);
 
     ApnFallbackManager       apnFallbackManager = new ApnFallbackManager(pushSchedulerCluster, apnSender, accountsManager);
-    TwilioSmsSender          twilioSmsSender    = new TwilioSmsSender(config.getTwilioConfiguration());
+    TwilioSmsSender          twilioSmsSender    = new TwilioSmsSender(config.getTwilioConfiguration(), dynamicConfigurationManager);
     SmsSender                smsSender          = new SmsSender(twilioSmsSender);
     MessageSender            messageSender      = new MessageSender(apnFallbackManager, clientPresenceManager, messagesManager, gcmSender, apnSender, pushLatencyManager);
     ReceiptSender            receiptSender      = new ReceiptSender(accountsManager, messageSender);
     TurnTokenGenerator       turnTokenGenerator = new TurnTokenGenerator(config.getTurnConfiguration());
-    RecaptchaClient          recaptchaClient    = new RecaptchaClient(config.getRecaptchaConfiguration().getSecret());
+    LegacyRecaptchaClient legacyRecaptchaClient = new LegacyRecaptchaClient(config.getRecaptchaConfiguration().getSecret());
+    EnterpriseRecaptchaClient enterpriseRecaptchaClient = new EnterpriseRecaptchaClient(
+        config.getRecaptchaV2Configuration().getScoreFloor().doubleValue(),
+        config.getRecaptchaV2Configuration().getSiteKey(),
+        config.getRecaptchaV2Configuration().getProjectPath(),
+        config.getRecaptchaV2Configuration().getCredentialConfigurationJson());
+    TransitionalRecaptchaClient transitionalRecaptchaClient = new TransitionalRecaptchaClient(legacyRecaptchaClient, enterpriseRecaptchaClient);
+    PushChallengeManager     pushChallengeManager = new PushChallengeManager(apnSender, gcmSender, pushChallengeDynamoDb);
+    RateLimitChallengeManager rateLimitChallengeManager = new RateLimitChallengeManager(pushChallengeManager,
+        transitionalRecaptchaClient, preKeyRateLimiter, unsealedSenderRateLimiter, rateLimiters,
+        dynamicConfigurationManager);
 
     MessagePersister messagePersister = new MessagePersister(messagesCache, messagesManager, accountsManager, dynamicConfigurationManager, Duration.ofMinutes(config.getMessageCacheConfiguration().getPersistDelayMinutes()));
 
-    final List<AccountDatabaseCrawlerListener> accountDatabaseCrawlerListeners = new ArrayList<>();
-    accountDatabaseCrawlerListeners.add(new PushFeedbackProcessor(accountsManager, directoryQueue));
-    accountDatabaseCrawlerListeners.add(new ActiveUserCounter(config.getMetricsFactory(), cacheCluster));
-    for (DirectoryServerConfiguration directoryServerConfiguration : config.getDirectoryConfiguration().getDirectoryServerConfiguration()) {
-      final DirectoryReconciliationClient directoryReconciliationClient = new DirectoryReconciliationClient(directoryServerConfiguration);
-      final DirectoryReconciler directoryReconciler = new DirectoryReconciler(directoryServerConfiguration.getReplicationName(), directoryReconciliationClient);
-      accountDatabaseCrawlerListeners.add(directoryReconciler);
+    final List<AccountDatabaseCrawlerListener> directoryReconciliationAccountDatabaseCrawlerListeners = new ArrayList<>();
+    final List<DeletedAccountsDirectoryReconciler> deletedAccountsDirectoryReconcilers = new ArrayList<>();
+    for (DirectoryServerConfiguration directoryServerConfiguration : config.getDirectoryConfiguration()
+        .getDirectoryServerConfiguration()) {
+      final DirectoryReconciliationClient directoryReconciliationClient = new DirectoryReconciliationClient(
+          directoryServerConfiguration);
+      final DirectoryReconciler directoryReconciler = new DirectoryReconciler(
+          directoryServerConfiguration.getReplicationName(), directoryReconciliationClient,
+          dynamicConfigurationManager);
+      // reconcilers are read-only
+      directoryReconciliationAccountDatabaseCrawlerListeners.add(directoryReconciler);
+
+      final DeletedAccountsDirectoryReconciler deletedAccountsDirectoryReconciler = new DeletedAccountsDirectoryReconciler(
+          directoryServerConfiguration.getReplicationName(), directoryReconciliationClient);
+      deletedAccountsDirectoryReconcilers.add(deletedAccountsDirectoryReconciler);
     }
-    accountDatabaseCrawlerListeners.add(new AccountCleaner(accountsManager));
-    accountDatabaseCrawlerListeners.add(new RegistrationLockVersionCounter(metricsCluster, config.getMetricsFactory()));
+
+    AccountDatabaseCrawlerCache directoryReconciliationAccountDatabaseCrawlerCache = new AccountDatabaseCrawlerCache(
+        cacheCluster, AccountDatabaseCrawlerCache.DIRECTORY_RECONCILER_PREFIX);
+    AccountDatabaseCrawler directoryReconciliationAccountDatabaseCrawler = new AccountDatabaseCrawler(
+        "Reconciliation crawler",
+        accountsManager,
+        directoryReconciliationAccountDatabaseCrawlerCache, directoryReconciliationAccountDatabaseCrawlerListeners,
+        config.getAccountDatabaseCrawlerConfiguration().getChunkSize(),
+        config.getAccountDatabaseCrawlerConfiguration().getChunkIntervalMs()
+    );
+
+    // TODO listeners must be ordered so that ones that directly update accounts come last, so that read-only ones are not working with stale data
+    final List<AccountDatabaseCrawlerListener> accountDatabaseCrawlerListeners = List.of(
+        new NonNormalizedAccountCrawlerListener(accountsManager, metricsCluster),
+        new ContactDiscoveryWriter(accountsManager),
+        // PushFeedbackProcessor may update device properties
+        new PushFeedbackProcessor(accountsManager),
+        // delete accounts last
+        new AccountCleaner(accountsManager)
+    );
+
+    AccountDatabaseCrawlerCache accountDatabaseCrawlerCache = new AccountDatabaseCrawlerCache(cacheCluster,
+        AccountDatabaseCrawlerCache.GENERAL_PURPOSE_PREFIX);
+    AccountDatabaseCrawler accountDatabaseCrawler = new AccountDatabaseCrawler("General-purpose account crawler",
+        accountsManager,
+        accountDatabaseCrawlerCache, accountDatabaseCrawlerListeners,
+        config.getAccountDatabaseCrawlerConfiguration().getChunkSize(),
+        config.getAccountDatabaseCrawlerConfiguration().getChunkIntervalMs()
+    );
+
+    DeletedAccountsTableCrawler deletedAccountsTableCrawler = new DeletedAccountsTableCrawler(deletedAccountsManager, deletedAccountsDirectoryReconcilers, cacheCluster, recurringJobExecutor);
 
     HttpClient                currencyClient  = HttpClient.newBuilder().version(HttpClient.Version.HTTP_2).connectTimeout(Duration.ofSeconds(10)).build();
     FixerClient               fixerClient     = new FixerClient(currencyClient, config.getPaymentsServiceConfiguration().getFixerApiKey());
     FtxClient                 ftxClient       = new FtxClient(currencyClient);
     CurrencyConversionManager currencyManager = new CurrencyConversionManager(fixerClient, ftxClient, config.getPaymentsServiceConfiguration().getPaymentCurrencies());
 
-    AccountDatabaseCrawlerCache accountDatabaseCrawlerCache = new AccountDatabaseCrawlerCache(cacheCluster);
-    AccountDatabaseCrawler      accountDatabaseCrawler      = new AccountDatabaseCrawler(accountsManager, accountDatabaseCrawlerCache, accountDatabaseCrawlerListeners, config.getAccountDatabaseCrawlerConfiguration().getChunkSize(), config.getAccountDatabaseCrawlerConfiguration().getChunkIntervalMs());
-
     apnSender.setApnFallbackManager(apnFallbackManager);
+    environment.lifecycle().manage(new ApplicationShutdownMonitor());
     environment.lifecycle().manage(apnFallbackManager);
     environment.lifecycle().manage(pubSubManager);
     environment.lifecycle().manage(messageSender);
     environment.lifecycle().manage(accountDatabaseCrawler);
+    environment.lifecycle().manage(directoryReconciliationAccountDatabaseCrawler);
+    environment.lifecycle().manage(deletedAccountsTableCrawler);
     environment.lifecycle().manage(remoteConfigsManager);
     environment.lifecycle().manage(messagesCache);
     environment.lifecycle().manage(messagePersister);
     environment.lifecycle().manage(clientPresenceManager);
+    environment.lifecycle().manage(currencyManager);
+    environment.lifecycle().manage(directoryQueue);
 
-    AWSCredentials         credentials               = new BasicAWSCredentials(config.getCdnConfiguration().getAccessKey(), config.getCdnConfiguration().getAccessSecret());
-    AWSCredentialsProvider credentialsProvider       = new AWSStaticCredentialsProvider(credentials);
-    AmazonS3               cdnS3Client               = AmazonS3Client.builder().withCredentials(credentialsProvider).withRegion(config.getCdnConfiguration().getRegion()).build();
-    PostPolicyGenerator    profileCdnPolicyGenerator = new PostPolicyGenerator(config.getCdnConfiguration().getRegion(), config.getCdnConfiguration().getBucket(), config.getCdnConfiguration().getAccessKey());
-    PolicySigner           profileCdnPolicySigner    = new PolicySigner(config.getCdnConfiguration().getAccessSecret(), config.getCdnConfiguration().getRegion());
+    StaticCredentialsProvider cdnCredentialsProvider = StaticCredentialsProvider
+        .create(AwsBasicCredentials.create(
+            config.getCdnConfiguration().getAccessKey(),
+            config.getCdnConfiguration().getAccessSecret()));
+    S3Client cdnS3Client               = S3Client.builder()
+        .credentialsProvider(cdnCredentialsProvider)
+        .region(Region.of(config.getCdnConfiguration().getRegion()))
+        .build();
+    PostPolicyGenerator profileCdnPolicyGenerator = new PostPolicyGenerator(config.getCdnConfiguration().getRegion(),
+        config.getCdnConfiguration().getBucket(), config.getCdnConfiguration().getAccessKey());
+    PolicySigner profileCdnPolicySigner = new PolicySigner(config.getCdnConfiguration().getAccessSecret(),
+        config.getCdnConfiguration().getRegion());
 
-    ServerSecretParams        zkSecretParams         = new ServerSecretParams(config.getZkConfig().getServerSecret());
-    ServerZkProfileOperations zkProfileOperations    = new ServerZkProfileOperations(zkSecretParams);
-    ServerZkAuthOperations    zkAuthOperations       = new ServerZkAuthOperations(zkSecretParams);
-    boolean                   isZkEnabled            = config.getZkConfig().isEnabled();
+    ServerSecretParams zkSecretParams = new ServerSecretParams(config.getZkConfig().getServerSecret());
+    ServerZkProfileOperations zkProfileOperations = new ServerZkProfileOperations(zkSecretParams);
+    ServerZkAuthOperations zkAuthOperations = new ServerZkAuthOperations(zkSecretParams);
+    ServerZkReceiptOperations zkReceiptOperations = new ServerZkReceiptOperations(zkSecretParams);
 
-    AttachmentControllerV1 attachmentControllerV1    = new AttachmentControllerV1(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getBucket());
-    AttachmentControllerV2 attachmentControllerV2    = new AttachmentControllerV2(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getRegion(), config.getAwsAttachmentsConfiguration().getBucket());
-    AttachmentControllerV3 attachmentControllerV3    = new AttachmentControllerV3(rateLimiters, config.getGcpAttachmentsConfiguration().getDomain(), config.getGcpAttachmentsConfiguration().getEmail(), config.getGcpAttachmentsConfiguration().getMaxSizeInBytes(), config.getGcpAttachmentsConfiguration().getPathPrefix(), config.getGcpAttachmentsConfiguration().getRsaSigningKey());
-    KeysController         keysController            = new KeysController(rateLimiters, keysDynamoDb, accountsManager, directoryQueue);
-    MessageController      messageController         = new MessageController(rateLimiters, messageSender, receiptSender, accountsManager, messagesManager, apnFallbackManager, dynamicConfigurationManager);
-    ProfileController      profileController         = new ProfileController(rateLimiters, accountsManager, profilesManager, usernamesManager, cdnS3Client, profileCdnPolicyGenerator, profileCdnPolicySigner, config.getCdnConfiguration().getBucket(), zkProfileOperations, isZkEnabled);
-    StickerController      stickerController         = new StickerController(rateLimiters, config.getCdnConfiguration().getAccessKey(), config.getCdnConfiguration().getAccessSecret(), config.getCdnConfiguration().getRegion(), config.getCdnConfiguration().getBucket());
-    RemoteConfigController remoteConfigController    = new RemoteConfigController(remoteConfigsManager, config.getRemoteConfigConfiguration().getAuthorizedTokens(), config.getRemoteConfigConfiguration().getGlobalConfig());
+    AuthFilter<BasicCredentials, AuthenticatedAccount> accountAuthFilter = new BasicCredentialAuthFilter.Builder<AuthenticatedAccount>().setAuthenticator(
+        accountAuthenticator).buildAuthFilter();
+    AuthFilter<BasicCredentials, DisabledPermittedAuthenticatedAccount> disabledPermittedAccountAuthFilter = new BasicCredentialAuthFilter.Builder<DisabledPermittedAuthenticatedAccount>().setAuthenticator(
+        disabledPermittedAccountAuthenticator).buildAuthFilter();
 
-    AuthFilter<BasicCredentials, Account>                  accountAuthFilter                  = new BasicCredentialAuthFilter.Builder<Account>().setAuthenticator(accountAuthenticator).buildAuthFilter                                  ();
-    AuthFilter<BasicCredentials, DisabledPermittedAccount> disabledPermittedAccountAuthFilter = new BasicCredentialAuthFilter.Builder<DisabledPermittedAccount>().setAuthenticator(disabledPermittedAccountAuthenticator).buildAuthFilter();
-
-    environment.servlets().addFilter("RemoteDeprecationFilter", new RemoteDeprecationFilter(dynamicConfigurationManager))
+    environment.servlets()
+        .addFilter("RemoteDeprecationFilter", new RemoteDeprecationFilter(dynamicConfigurationManager))
         .addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST), false, "/*");
 
+    // TODO Remove on or after 2022-03-01
+    final AcceptNumericOnlineFlagRequestFilter acceptNumericOnlineFlagRequestFilter =
+        new AcceptNumericOnlineFlagRequestFilter("v1/messages/multi_recipient");
+
+    environment.jersey().register(new ContentLengthFilter(TrafficSource.HTTP));
+    environment.jersey().register(acceptNumericOnlineFlagRequestFilter);
+    environment.jersey().register(MultiRecipientMessageProvider.class);
     environment.jersey().register(new MetricsApplicationEventListener(TrafficSource.HTTP));
-
-    environment.jersey().register(new PolymorphicAuthDynamicFeature<>(ImmutableMap.of(Account.class, accountAuthFilter,
-                                                                                      DisabledPermittedAccount.class, disabledPermittedAccountAuthFilter)));
-    environment.jersey().register(new PolymorphicAuthValueFactoryProvider.Binder<>(ImmutableSet.of(Account.class, DisabledPermittedAccount.class)));
-
+    environment.jersey()
+        .register(new PolymorphicAuthDynamicFeature<>(ImmutableMap.of(AuthenticatedAccount.class, accountAuthFilter,
+            DisabledPermittedAuthenticatedAccount.class, disabledPermittedAccountAuthFilter)));
+    environment.jersey().register(new PolymorphicAuthValueFactoryProvider.Binder<>(
+        ImmutableSet.of(AuthenticatedAccount.class, DisabledPermittedAuthenticatedAccount.class)));
+    environment.jersey().register(new WebsocketRefreshApplicationEventListener(accountsManager, clientPresenceManager));
     environment.jersey().register(new TimestampResponseFilter());
-
-    environment.jersey().register(new AccountController(pendingAccountsManager, accountsManager, usernamesManager, abusiveHostRules, rateLimiters, smsSender, directoryQueue, messagesManager, turnTokenGenerator, config.getTestDevices(), recaptchaClient, gcmSender, apnSender, backupCredentialsGenerator));
-    environment.jersey().register(new DeviceController(pendingDevicesManager, accountsManager, messagesManager, directoryQueue, rateLimiters, config.getMaxDevices()));
-    environment.jersey().register(new DirectoryController(directoryCredentialsGenerator));
-    environment.jersey().register(new ProvisioningController(rateLimiters, provisioningManager));
-    environment.jersey().register(new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations, isZkEnabled));
-    environment.jersey().register(new VoiceVerificationController(config.getVoiceVerificationConfiguration().getUrl(), config.getVoiceVerificationConfiguration().getLocales()));
-    environment.jersey().register(new SecureStorageController(storageCredentialsGenerator));
-    environment.jersey().register(new SecureBackupController(backupCredentialsGenerator));
-    environment.jersey().register(new PaymentsController(currencyManager, paymentsCredentialsGenerator));
-    environment.jersey().register(attachmentControllerV1);
-    environment.jersey().register(attachmentControllerV2);
-    environment.jersey().register(attachmentControllerV3);
-    environment.jersey().register(keysController);
-    environment.jersey().register(messageController);
-    environment.jersey().register(profileController);
-    environment.jersey().register(stickerController);
-    environment.jersey().register(remoteConfigController);
+    environment.jersey().register(new VoiceVerificationController(config.getVoiceVerificationConfiguration().getUrl(),
+        config.getVoiceVerificationConfiguration().getLocales()));
 
     ///
-    WebSocketEnvironment<Account> webSocketEnvironment = new WebSocketEnvironment<>(environment, config.getWebSocketConfiguration(), 90000);
+    WebSocketEnvironment<AuthenticatedAccount> webSocketEnvironment = new WebSocketEnvironment<>(environment,
+        config.getWebSocketConfiguration(), 90000);
     webSocketEnvironment.setAuthenticator(new WebSocketAccountAuthenticator(accountAuthenticator));
-    webSocketEnvironment.setConnectListener(new AuthenticatedConnectListener(receiptSender, messagesManager, messageSender, apnFallbackManager, clientPresenceManager));
+    webSocketEnvironment.setConnectListener(
+        new AuthenticatedConnectListener(receiptSender, messagesManager, messageSender, apnFallbackManager,
+            clientPresenceManager, retrySchedulingExecutor));
+    webSocketEnvironment.jersey().register(new WebsocketRefreshApplicationEventListener(accountsManager, clientPresenceManager));
+    webSocketEnvironment.jersey().register(new ContentLengthFilter(TrafficSource.WEBSOCKET));
+    webSocketEnvironment.jersey().register(acceptNumericOnlineFlagRequestFilter);
+    webSocketEnvironment.jersey().register(MultiRecipientMessageProvider.class);
     webSocketEnvironment.jersey().register(new MetricsApplicationEventListener(TrafficSource.WEBSOCKET));
     webSocketEnvironment.jersey().register(new KeepAliveController(clientPresenceManager));
-    webSocketEnvironment.jersey().register(messageController);
-    webSocketEnvironment.jersey().register(profileController);
-    webSocketEnvironment.jersey().register(attachmentControllerV1);
-    webSocketEnvironment.jersey().register(attachmentControllerV2);
-    webSocketEnvironment.jersey().register(attachmentControllerV3);
-    webSocketEnvironment.jersey().register(remoteConfigController);
 
-    WebSocketEnvironment<Account> provisioningEnvironment = new WebSocketEnvironment<>(environment, webSocketEnvironment.getRequestLog(), 60000);
+    // these should be common, but use @Auth DisabledPermittedAccount, which isn’t supported yet on websocket
+    environment.jersey().register(
+        new AccountController(pendingAccountsManager, accountsManager, usernamesManager, abusiveHostRules, rateLimiters,
+            smsSender, dynamicConfigurationManager, turnTokenGenerator, config.getTestDevices(),
+            transitionalRecaptchaClient, gcmSender, apnSender, backupCredentialsGenerator,
+            verifyExperimentEnrollmentManager));
+    environment.jersey().register(new KeysController(rateLimiters, keys, accountsManager, preKeyRateLimiter, rateLimitChallengeManager));
+
+    final List<Object> commonControllers = Lists.newArrayList(
+        new AttachmentControllerV1(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getBucket()),
+        new AttachmentControllerV2(rateLimiters, config.getAwsAttachmentsConfiguration().getAccessKey(), config.getAwsAttachmentsConfiguration().getAccessSecret(), config.getAwsAttachmentsConfiguration().getRegion(), config.getAwsAttachmentsConfiguration().getBucket()),
+        new AttachmentControllerV3(rateLimiters, config.getGcpAttachmentsConfiguration().getDomain(), config.getGcpAttachmentsConfiguration().getEmail(), config.getGcpAttachmentsConfiguration().getMaxSizeInBytes(), config.getGcpAttachmentsConfiguration().getPathPrefix(), config.getGcpAttachmentsConfiguration().getRsaSigningKey()),
+        new CertificateController(new CertificateGenerator(config.getDeliveryCertificate().getCertificate(), config.getDeliveryCertificate().getPrivateKey(), config.getDeliveryCertificate().getExpiresDays()), zkAuthOperations),
+        new ChallengeController(rateLimitChallengeManager),
+        new DeviceController(pendingDevicesManager, accountsManager, messagesManager, keys, rateLimiters, config.getMaxDevices()),
+        new DirectoryController(directoryCredentialsGenerator),
+        new DirectoryV2Controller(directoryV2CredentialsGenerator),
+        new DonationController(clock, zkReceiptOperations, redeemedReceiptsManager, accountsManager, config.getBadges(),
+            ReceiptCredentialPresentation::new, stripeExecutor, config.getDonationConfiguration(), config.getStripe()),
+        new MessageController(rateLimiters, messageSender, receiptSender, accountsManager, messagesManager, unsealedSenderRateLimiter, apnFallbackManager,
+            rateLimitChallengeManager, reportMessageManager, multiRecipientMessageExecutor),
+        new PaymentsController(currencyManager, paymentsCredentialsGenerator),
+        new ProfileController(clock, rateLimiters, accountsManager, profilesManager, usernamesManager, dynamicConfigurationManager, profileBadgeConverter, config.getBadges(), cdnS3Client, profileCdnPolicyGenerator, profileCdnPolicySigner, config.getCdnConfiguration().getBucket(), zkProfileOperations),
+        new ProvisioningController(rateLimiters, provisioningManager),
+        new RemoteConfigController(remoteConfigsManager, config.getRemoteConfigConfiguration().getAuthorizedTokens(), config.getRemoteConfigConfiguration().getGlobalConfig()),
+        new SecureBackupController(backupCredentialsGenerator),
+        new SecureStorageController(storageCredentialsGenerator),
+        new StickerController(rateLimiters, config.getCdnConfiguration().getAccessKey(),
+            config.getCdnConfiguration().getAccessSecret(), config.getCdnConfiguration().getRegion(),
+            config.getCdnConfiguration().getBucket())
+    );
+    if (config.getSubscription() != null && config.getBoost() != null) {
+      commonControllers.add(new SubscriptionController(clock, config.getSubscription(), config.getBoost(),
+          subscriptionManager, stripeManager, zkReceiptOperations, issuedReceiptsManager, profileBadgeConverter,
+          resourceBundleLevelTranslator));
+    }
+
+    for (Object controller : commonControllers) {
+      environment.jersey().register(controller);
+      webSocketEnvironment.jersey().register(controller);
+    }
+
+    boolean registeredAbusiveMessageFilter = false;
+
+    for (final AbusiveMessageFilter filter : ServiceLoader.load(AbusiveMessageFilter.class)) {
+      if (filter.getClass().isAnnotationPresent(FilterAbusiveMessages.class)) {
+        try {
+          filter.configure(config.getAbusiveMessageFilterConfiguration().getEnvironment());
+
+          environment.lifecycle().manage(filter);
+          environment.jersey().register(filter);
+          webSocketEnvironment.jersey().register(filter);
+
+          log.info("Registered abusive message filter: {}", filter.getClass().getName());
+          registeredAbusiveMessageFilter = true;
+        } catch (final Exception e) {
+          log.warn("Failed to register abusive message filter: {}", filter.getClass().getName(), e);
+        }
+      } else {
+        log.warn("Abusive message filter {} not annotated with @FilterAbusiveMessages and will not be installed",
+            filter.getClass().getName());
+      }
+    }
+
+    if (!registeredAbusiveMessageFilter) {
+      log.warn("No abusive message filters installed");
+    }
+
+    WebSocketEnvironment<AuthenticatedAccount> provisioningEnvironment = new WebSocketEnvironment<>(environment,
+        webSocketEnvironment.getRequestLog(), 60000);
+    provisioningEnvironment.jersey().register(new WebsocketRefreshApplicationEventListener(accountsManager, clientPresenceManager));
     provisioningEnvironment.setConnectListener(new ProvisioningConnectListener(pubSubManager));
     provisioningEnvironment.jersey().register(new MetricsApplicationEventListener(TrafficSource.WEBSOCKET));
     provisioningEnvironment.jersey().register(new KeepAliveController(clientPresenceManager));
@@ -459,10 +728,23 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     registerCorsFilter(environment);
     registerExceptionMappers(environment, webSocketEnvironment, provisioningEnvironment);
 
-    WebSocketResourceProviderFactory<Account> webSocketServlet    = new WebSocketResourceProviderFactory<>(webSocketEnvironment, Account.class);
-    WebSocketResourceProviderFactory<Account> provisioningServlet = new WebSocketResourceProviderFactory<>(provisioningEnvironment, Account.class);
+    RateLimitChallengeExceptionMapper rateLimitChallengeExceptionMapper = new RateLimitChallengeExceptionMapper(
+        rateLimitChallengeManager);
 
-    ServletRegistration.Dynamic websocket    = environment.servlets().addServlet("WebSocket", webSocketServlet      );
+    environment.jersey().register(rateLimitChallengeExceptionMapper);
+    webSocketEnvironment.jersey().register(rateLimitChallengeExceptionMapper);
+    provisioningEnvironment.jersey().register(rateLimitChallengeExceptionMapper);
+
+    environment.jersey().property(ServerProperties.UNWRAP_COMPLETION_STAGE_IN_WRITER_ENABLE, Boolean.TRUE);
+    webSocketEnvironment.jersey().property(ServerProperties.UNWRAP_COMPLETION_STAGE_IN_WRITER_ENABLE, Boolean.TRUE);
+    provisioningEnvironment.jersey().property(ServerProperties.UNWRAP_COMPLETION_STAGE_IN_WRITER_ENABLE, Boolean.TRUE);
+
+    WebSocketResourceProviderFactory<AuthenticatedAccount> webSocketServlet = new WebSocketResourceProviderFactory<>(
+        webSocketEnvironment, AuthenticatedAccount.class, config.getWebSocketConfiguration());
+    WebSocketResourceProviderFactory<AuthenticatedAccount> provisioningServlet = new WebSocketResourceProviderFactory<>(
+        provisioningEnvironment, AuthenticatedAccount.class, config.getWebSocketConfiguration());
+
+    ServletRegistration.Dynamic websocket = environment.servlets().addServlet("WebSocket", webSocketServlet);
     ServletRegistration.Dynamic provisioning = environment.servlets().addServlet("Provisioning", provisioningServlet);
 
     websocket.addMapping("/v1/websocket/");
@@ -474,8 +756,6 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     environment.admin().addTask(new SetRequestLoggingEnabledTask());
     environment.admin().addTask(new SetCrawlerAccelerationTask(accountDatabaseCrawlerCache));
 
-///
-
     environment.healthChecks().register("cacheCluster", new RedisClusterHealthCheck(cacheCluster));
 
     environment.metrics().register(name(CpuUsageGauge.class, "cpu"), new CpuUsageGauge(3, TimeUnit.SECONDS));
@@ -484,28 +764,35 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     environment.metrics().register(name(NetworkReceivedGauge.class, "bytes_received"), new NetworkReceivedGauge());
     environment.metrics().register(name(FileDescriptorGauge.class, "fd_count"), new FileDescriptorGauge());
     environment.metrics().register(name(MaxFileDescriptorGauge.class, "max_fd_count"), new MaxFileDescriptorGauge());
-    environment.metrics().register(name(OperatingSystemMemoryGauge.class, "buffers"), new OperatingSystemMemoryGauge("Buffers"));
-    environment.metrics().register(name(OperatingSystemMemoryGauge.class, "cached"), new OperatingSystemMemoryGauge("Cached"));
+    environment.metrics()
+        .register(name(OperatingSystemMemoryGauge.class, "buffers"), new OperatingSystemMemoryGauge("Buffers"));
+    environment.metrics()
+        .register(name(OperatingSystemMemoryGauge.class, "cached"), new OperatingSystemMemoryGauge("Cached"));
 
     BufferPoolGauges.registerMetrics();
     GarbageCollectionGauges.registerMetrics();
   }
 
-  private void registerExceptionMappers(Environment environment, WebSocketEnvironment<Account> webSocketEnvironment, WebSocketEnvironment<Account> provisioningEnvironment) {
-    environment.jersey().register(new IOExceptionMapper());
-    environment.jersey().register(new RateLimitExceededExceptionMapper());
-    environment.jersey().register(new InvalidWebsocketAddressExceptionMapper());
-    environment.jersey().register(new DeviceLimitExceededExceptionMapper());
+  private void registerExceptionMappers(Environment environment,
+      WebSocketEnvironment<AuthenticatedAccount> webSocketEnvironment,
+      WebSocketEnvironment<AuthenticatedAccount> provisioningEnvironment) {
 
-    webSocketEnvironment.jersey().register(new IOExceptionMapper());
-    webSocketEnvironment.jersey().register(new RateLimitExceededExceptionMapper());
-    webSocketEnvironment.jersey().register(new InvalidWebsocketAddressExceptionMapper());
-    webSocketEnvironment.jersey().register(new DeviceLimitExceededExceptionMapper());
-
-    provisioningEnvironment.jersey().register(new IOExceptionMapper());
-    provisioningEnvironment.jersey().register(new RateLimitExceededExceptionMapper());
-    provisioningEnvironment.jersey().register(new InvalidWebsocketAddressExceptionMapper());
-    provisioningEnvironment.jersey().register(new DeviceLimitExceededExceptionMapper());
+    List.of(
+        new LoggingUnhandledExceptionMapper(),
+        new CompletionExceptionMapper(),
+        new IOExceptionMapper(),
+        new RateLimitExceededExceptionMapper(),
+        new InvalidWebsocketAddressExceptionMapper(),
+        new DeviceLimitExceededExceptionMapper(),
+        new RetryLaterExceptionMapper(),
+        new ServerRejectedExceptionMapper(),
+        new ImpossiblePhoneNumberExceptionMapper(),
+        new NonNormalizedPhoneNumberExceptionMapper()
+    ).forEach(exceptionMapper -> {
+      environment.jersey().register(exceptionMapper);
+      webSocketEnvironment.jersey().register(exceptionMapper);
+      provisioningEnvironment.jersey().register(exceptionMapper);
+    });
   }
 
   private void registerCorsFilter(Environment environment) {

service/src/main/java/org/whispersystems/textsecuregcm/abuse/AbusiveMessageFilter.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.abuse;
+
+import io.dropwizard.lifecycle.Managed;
+import javax.ws.rs.container.ContainerRequestFilter;
+import java.io.IOException;
+
+/**
+ * An abusive message filter is a {@link ContainerRequestFilter} that filters requests to message-sending endpoints to
+ * detect and respond to patterns of abusive behavior.
+ * <p/>
+ * Abusive message filters are managed components that are generally loaded dynamically via a
+ * {@link java.util.ServiceLoader}. Their {@link #configure(String)} method will be called prior to be adding to the
+ * server's pool of {@link Managed} objects.
+ * <p/>
+ * Abusive message filters must be annotated with {@link FilterAbusiveMessages}, a name binding annotation that
+ * restricts the endpoints to which the filter may apply.
+ */
+public interface AbusiveMessageFilter extends ContainerRequestFilter, Managed {
+
+  /**
+   * Configures this abusive message filter. This method will be called before the filter is added to the server's pool
+   * of managed objects and before the server processes any requests.
+   *
+   * @param environmentName the name of the environment in which this filter is running (e.g. "staging" or "production")
+   * @throws IOException if the filter could not read its configuration source for any reason
+   */
+  void configure(String environmentName) throws IOException;
+}

service/src/main/java/org/whispersystems/textsecuregcm/abuse/FilterAbusiveMessages.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.abuse;
+
+import javax.ws.rs.NameBinding;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * A name-binding annotation that associates {@link AbusiveMessageFilter}s with resource methods.
+ */
+@NameBinding
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.TYPE, ElementType.METHOD})
+public @interface FilterAbusiveMessages {
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AccountAndAuthenticatedDeviceHolder.java

@@ -0,0 +1,16 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public interface AccountAndAuthenticatedDeviceHolder {
+
+  Account getAccount();
+
+  Device getAuthenticatedDevice();
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AccountAuthenticator.java

@@ -1,42 +1,38 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013-2021 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 package org.whispersystems.textsecuregcm.auth;
 
-import io.micrometer.core.instrument.Metrics;
-import io.micrometer.core.instrument.Tag;
-import org.apache.http.auth.AUTH;
-import org.whispersystems.textsecuregcm.storage.Account;
-import org.whispersystems.textsecuregcm.storage.AccountsManager;
-
-import java.util.List;
-import java.util.Optional;
-
 import io.dropwizard.auth.Authenticator;
 import io.dropwizard.auth.basic.BasicCredentials;
+import java.util.Optional;
+import io.micrometer.core.instrument.Metrics;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
 
 import static com.codahale.metrics.MetricRegistry.name;
 
-public class AccountAuthenticator extends BaseAccountAuthenticator implements Authenticator<BasicCredentials, Account> {
+public class AccountAuthenticator extends BaseAccountAuthenticator implements
+    Authenticator<BasicCredentials, AuthenticatedAccount> {
 
-  private static final String AUTHENTICATION_COUNTER_NAME     = name(AccountAuthenticator.class, "authenticate");
-  private static final String GV2_CAPABLE_TAG_NAME            = "gv1Migration";
+  private static final String AUTHENTICATION_COUNTER_NAME = name(AccountAuthenticator.class, "authenticate");
 
   public AccountAuthenticator(AccountsManager accountsManager) {
     super(accountsManager);
   }
 
   @Override
-  public Optional<Account> authenticate(BasicCredentials basicCredentials) {
-    final Optional<Account> maybeAccount = super.authenticate(basicCredentials, true);
+  public Optional<AuthenticatedAccount> authenticate(BasicCredentials basicCredentials) {
+    final Optional<AuthenticatedAccount> maybeAuthenticatedAccount = super.authenticate(basicCredentials, true);
 
-    // TODO Remove this temporary counter when we can replace it with more generic feature adoption system
-    maybeAccount.ifPresent(account -> {
-      Metrics.counter(AUTHENTICATION_COUNTER_NAME, GV2_CAPABLE_TAG_NAME, String.valueOf(account.isGv1MigrationSupported())).increment();
-    });
+    // TODO Remove after announcement groups have launched
+    maybeAuthenticatedAccount.ifPresent(authenticatedAccount ->
+        Metrics.counter(AUTHENTICATION_COUNTER_NAME,
+            "supportsAnnouncementGroups",
+            String.valueOf(authenticatedAccount.getAccount().isAnnouncementGroupSupported()))
+            .increment());
 
-    return maybeAccount;
+    return maybeAuthenticatedAccount;
   }
 
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/AmbiguousIdentifier.java

@@ -1,45 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import java.util.UUID;
-
-public class AmbiguousIdentifier {
-
-  private final UUID   uuid;
-  private final String number;
-
-  public AmbiguousIdentifier(String target) {
-    if (target.startsWith("+")) {
-      this.uuid   = null;
-      this.number = target;
-    } else {
-      this.uuid   = UUID.fromString(target);
-      this.number = null;
-    }
-  }
-
-  public UUID getUuid() {
-    return uuid;
-  }
-
-  public String getNumber() {
-    return number;
-  }
-
-  public boolean hasUuid() {
-    return uuid != null;
-  }
-
-  public boolean hasNumber() {
-    return number != null;
-  }
-
-  @Override
-  public String toString() {
-    return hasUuid() ? uuid.toString() : number;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/Anonymous.java

@@ -5,11 +5,9 @@
 
 package org.whispersystems.textsecuregcm.auth;
 
-import org.whispersystems.textsecuregcm.util.Base64;
-
+import java.util.Base64;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
-import java.io.IOException;
 
 public class Anonymous {
 
@@ -17,8 +15,8 @@ public class Anonymous {
 
   public Anonymous(String header) {
     try {
-      this.unidentifiedSenderAccessKey = Base64.decode(header);
-    } catch (IOException e) {
+      this.unidentifiedSenderAccessKey = Base64.getDecoder().decode(header);
+    } catch (IllegalArgumentException e) {
       throw new WebApplicationException(e, Response.Status.UNAUTHORIZED);
     }
   }

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthEnablementRefreshRequirementProvider.java

@@ -0,0 +1,100 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import com.google.common.annotations.VisibleForTesting;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.UUID;
+import java.util.stream.Collectors;
+import org.glassfish.jersey.server.ContainerRequest;
+import org.glassfish.jersey.server.monitoring.RequestEvent;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.util.Pair;
+
+/**
+ * This {@link WebsocketRefreshRequirementProvider} observes intra-request changes in {@link Account#isEnabled()} and
+ * {@link Device#isEnabled()}.
+ * <p>
+ * If a change in {@link Account#isEnabled()} or any associated {@link Device#isEnabled()} is observed, then any active
+ * WebSocket connections for the account must be closed in order for clients to get a refreshed
+ * {@link io.dropwizard.auth.Auth} object with a current device list.
+ *
+ * @see AuthenticatedAccount
+ * @see DisabledPermittedAuthenticatedAccount
+ */
+public class AuthEnablementRefreshRequirementProvider implements WebsocketRefreshRequirementProvider {
+
+  private final AccountsManager accountsManager;
+
+  private static final Logger logger = LoggerFactory.getLogger(AuthEnablementRefreshRequirementProvider.class);
+
+  private static final String ACCOUNT_UUID = AuthEnablementRefreshRequirementProvider.class.getName() + ".accountUuid";
+  private static final String DEVICES_ENABLED = AuthEnablementRefreshRequirementProvider.class.getName() + ".devicesEnabled";
+
+  public AuthEnablementRefreshRequirementProvider(final AccountsManager accountsManager) {
+    this.accountsManager = accountsManager;
+  }
+
+  @VisibleForTesting
+  static Map<Long, Boolean> buildDevicesEnabledMap(final Account account) {
+    return account.getDevices().stream().collect(Collectors.toMap(Device::getId, Device::isEnabled));
+  }
+
+  @Override
+  public void handleRequestFiltered(final RequestEvent requestEvent) {
+    if (requestEvent.getUriInfo().getMatchedResourceMethod().getInvocable().getHandlingMethod().getAnnotation(ChangesDeviceEnabledState.class) != null) {
+      // The authenticated principal, if any, will be available after filters have run.
+      // Now that the account is known, capture a snapshot of `isEnabled` for the account's devices before carrying out
+      // the request’s business logic.
+      ContainerRequestUtil.getAuthenticatedAccount(requestEvent.getContainerRequest()).ifPresent(account ->
+          setAccount(requestEvent.getContainerRequest(), account));
+    }
+  }
+
+  public static void setAccount(final ContainerRequest containerRequest, final Account account) {
+    containerRequest.setProperty(ACCOUNT_UUID, account.getUuid());
+    containerRequest.setProperty(DEVICES_ENABLED, buildDevicesEnabledMap(account));
+  }
+
+  @Override
+  public List<Pair<UUID, Long>> handleRequestFinished(final RequestEvent requestEvent) {
+    // Now that the request is finished, check whether `isEnabled` changed for any of the devices. If the value did
+    // change or if a devices was added or removed, all devices must disconnect and reauthenticate.
+    if (requestEvent.getContainerRequest().getProperty(DEVICES_ENABLED) != null) {
+
+      @SuppressWarnings("unchecked") final Map<Long, Boolean> initialDevicesEnabled =
+          (Map<Long, Boolean>) requestEvent.getContainerRequest().getProperty(DEVICES_ENABLED);
+
+      return accountsManager.getByAccountIdentifier((UUID) requestEvent.getContainerRequest().getProperty(ACCOUNT_UUID)).map(account -> {
+        final Set<Long> deviceIdsToDisplace;
+        final Map<Long, Boolean> currentDevicesEnabled = buildDevicesEnabledMap(account);
+
+        if (!initialDevicesEnabled.equals(currentDevicesEnabled)) {
+          deviceIdsToDisplace = new HashSet<>(initialDevicesEnabled.keySet());
+          deviceIdsToDisplace.addAll(currentDevicesEnabled.keySet());
+        } else {
+          deviceIdsToDisplace = Collections.emptySet();
+        }
+
+        return deviceIdsToDisplace.stream()
+            .map(deviceId -> new Pair<>(account.getUuid(), deviceId))
+            .collect(Collectors.toList());
+      }).orElseGet(() -> {
+        logger.error("Request had account, but it is no longer present");
+        return Collections.emptyList();
+      });
+    } else
+      return Collections.emptyList();
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticatedAccount.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.security.Principal;
+import java.util.function.Supplier;
+import javax.security.auth.Subject;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.util.Pair;
+
+public class AuthenticatedAccount implements Principal, AccountAndAuthenticatedDeviceHolder {
+
+  private final Supplier<Pair<Account, Device>> accountAndDevice;
+
+  public AuthenticatedAccount(final Supplier<Pair<Account, Device>> accountAndDevice) {
+    this.accountAndDevice = accountAndDevice;
+  }
+
+  @Override
+  public Account getAccount() {
+    return accountAndDevice.get().first();
+  }
+
+  @Override
+  public Device getAuthenticatedDevice() {
+    return accountAndDevice.get().second();
+  }
+
+  // Principal implementation
+
+  @Override
+  public String getName() {
+    return null;
+  }
+
+  @Override
+  public boolean implies(final Subject subject) {
+    return false;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthorizationHeader.java

@@ -1,81 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.textsecuregcm.auth;
-
-
-import org.whispersystems.textsecuregcm.util.Base64;
-import org.whispersystems.textsecuregcm.util.Util;
-
-import java.io.IOException;
-
-public class AuthorizationHeader {
-
-  private final AmbiguousIdentifier identifier;
-  private final long                deviceId;
-  private final String              password;
-
-  private AuthorizationHeader(AmbiguousIdentifier identifier, long deviceId, String password) {
-    this.identifier = identifier;
-    this.deviceId   = deviceId;
-    this.password   = password;
-  }
-
-  public static AuthorizationHeader fromUserAndPassword(String user, String password) throws InvalidAuthorizationHeaderException {
-    try {
-      String[] numberAndId = user.split("\\.");
-      return new AuthorizationHeader(new AmbiguousIdentifier(numberAndId[0]),
-                                     numberAndId.length > 1 ? Long.parseLong(numberAndId[1]) : 1,
-                                     password);
-    } catch (NumberFormatException nfe) {
-      throw new InvalidAuthorizationHeaderException(nfe);
-    }
-  }
-
-  public static AuthorizationHeader fromFullHeader(String header) throws InvalidAuthorizationHeaderException {
-    try {
-      if (header == null) {
-        throw new InvalidAuthorizationHeaderException("Null header");
-      }
-
-      String[] headerParts = header.split(" ");
-
-      if (headerParts == null || headerParts.length < 2) {
-        throw new InvalidAuthorizationHeaderException("Invalid authorization header: " + header);
-      }
-
-      if (!"Basic".equals(headerParts[0])) {
-        throw new InvalidAuthorizationHeaderException("Unsupported authorization method: " + headerParts[0]);
-      }
-
-      String concatenatedValues = new String(Base64.decode(headerParts[1]));
-
-      if (Util.isEmpty(concatenatedValues)) {
-        throw new InvalidAuthorizationHeaderException("Bad decoded value: " + concatenatedValues);
-      }
-
-      String[] credentialParts = concatenatedValues.split(":");
-
-      if (credentialParts == null || credentialParts.length < 2) {
-        throw new InvalidAuthorizationHeaderException("Badly formated credentials: " + concatenatedValues);
-      }
-
-      return fromUserAndPassword(credentialParts[0], credentialParts[1]);
-    } catch (IOException ioe) {
-      throw new InvalidAuthorizationHeaderException(ioe);
-    }
-  }
-
-  public AmbiguousIdentifier getIdentifier() {
-    return identifier;
-  }
-
-  public long getDeviceId() {
-    return deviceId;
-  }
-
-  public String getPassword() {
-    return password;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/BaseAccountAuthenticator.java

@@ -1,42 +1,38 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013-2021 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.auth;
 
-import com.codahale.metrics.Meter;
-import com.codahale.metrics.MetricRegistry;
-import com.codahale.metrics.SharedMetricRegistries;
+import static com.codahale.metrics.MetricRegistry.name;
+
 import com.google.common.annotations.VisibleForTesting;
 import io.dropwizard.auth.basic.BasicCredentials;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.whispersystems.textsecuregcm.storage.Account;
-import org.whispersystems.textsecuregcm.storage.AccountsManager;
-import org.whispersystems.textsecuregcm.storage.Device;
-import org.whispersystems.textsecuregcm.util.Constants;
-import org.whispersystems.textsecuregcm.util.Util;
-
+import io.micrometer.core.instrument.Metrics;
+import io.micrometer.core.instrument.Tags;
 import java.time.Clock;
 import java.time.Duration;
 import java.time.temporal.ChronoUnit;
 import java.util.Optional;
-
-import static com.codahale.metrics.MetricRegistry.name;
+import java.util.UUID;
+import org.apache.commons.lang3.StringUtils;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.storage.RefreshingAccountAndDeviceSupplier;
+import org.whispersystems.textsecuregcm.util.Pair;
+import org.whispersystems.textsecuregcm.util.Util;
 
 public class BaseAccountAuthenticator {
 
-  private final MetricRegistry metricRegistry               = SharedMetricRegistries.getOrCreate(Constants.METRICS_NAME);
-  private final Meter          authenticationFailedMeter    = metricRegistry.meter(name(getClass(), "authentication", "failed"         ));
-  private final Meter          authenticationSucceededMeter = metricRegistry.meter(name(getClass(), "authentication", "succeeded"      ));
-  private final Meter          noSuchAccountMeter           = metricRegistry.meter(name(getClass(), "authentication", "noSuchAccount"  ));
-  private final Meter          noSuchDeviceMeter            = metricRegistry.meter(name(getClass(), "authentication", "noSuchDevice"   ));
-  private final Meter          accountDisabledMeter         = metricRegistry.meter(name(getClass(), "authentication", "accountDisabled"));
-  private final Meter          deviceDisabledMeter          = metricRegistry.meter(name(getClass(), "authentication", "deviceDisabled" ));
-  private final Meter          invalidAuthHeaderMeter       = metricRegistry.meter(name(getClass(), "authentication", "invalidHeader"  ));
+  private static final String AUTHENTICATION_COUNTER_NAME = name(BaseAccountAuthenticator.class, "authentication");
+  private static final String AUTHENTICATION_SUCCEEDED_TAG_NAME = "succeeded";
+  private static final String AUTHENTICATION_FAILURE_REASON_TAG_NAME = "reason";
+  private static final String AUTHENTICATION_ENABLED_REQUIRED_TAG_NAME = "enabledRequired";
 
-  private final Logger logger = LoggerFactory.getLogger(AccountAuthenticator.class);
+  private static final String DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME = name(BaseAccountAuthenticator.class, "daysSinceLastSeen");
+  private static final String IS_PRIMARY_DEVICE_TAG = "isPrimary";
 
   private final AccountsManager accountsManager;
   private final Clock           clock;
@@ -51,59 +47,100 @@ public class BaseAccountAuthenticator {
     this.clock           = clock;
   }
 
-  public Optional<Account> authenticate(BasicCredentials basicCredentials, boolean enabledRequired) {
-    try {
-      AuthorizationHeader authorizationHeader = AuthorizationHeader.fromUserAndPassword(basicCredentials.getUsername(), basicCredentials.getPassword());
-      Optional<Account>   account             = accountsManager.get(authorizationHeader.getIdentifier());
+  static Pair<String, Long> getIdentifierAndDeviceId(final String basicUsername) {
+    final String identifier;
+    final long deviceId;
 
-      if (!account.isPresent()) {
-        noSuchAccountMeter.mark();
+    final int deviceIdSeparatorIndex = basicUsername.indexOf('.');
+
+    if (deviceIdSeparatorIndex == -1) {
+      identifier = basicUsername;
+      deviceId = Device.MASTER_ID;
+    } else {
+      identifier = basicUsername.substring(0, deviceIdSeparatorIndex);
+      deviceId = Long.parseLong(basicUsername.substring(deviceIdSeparatorIndex + 1));
+    }
+
+    return new Pair<>(identifier, deviceId);
+  }
+
+  public Optional<AuthenticatedAccount> authenticate(BasicCredentials basicCredentials, boolean enabledRequired) {
+    boolean succeeded = false;
+    String failureReason = null;
+
+    try {
+      final UUID accountUuid;
+      final long deviceId;
+      {
+        final Pair<String, Long> identifierAndDeviceId = getIdentifierAndDeviceId(basicCredentials.getUsername());
+
+        accountUuid = UUID.fromString(identifierAndDeviceId.first());
+        deviceId = identifierAndDeviceId.second();
+      }
+
+      Optional<Account> account = accountsManager.getByAccountIdentifier(accountUuid);
+
+      if (account.isEmpty()) {
+        failureReason = "noSuchAccount";
         return Optional.empty();
       }
 
-      Optional<Device> device = account.get().getDevice(authorizationHeader.getDeviceId());
+      Optional<Device> device = account.get().getDevice(deviceId);
 
-      if (!device.isPresent()) {
-        noSuchDeviceMeter.mark();
+      if (device.isEmpty()) {
+        failureReason = "noSuchDevice";
         return Optional.empty();
       }
 
       if (enabledRequired) {
         if (!device.get().isEnabled()) {
-          deviceDisabledMeter.mark();
+          failureReason = "deviceDisabled";
           return Optional.empty();
         }
 
         if (!account.get().isEnabled()) {
-          accountDisabledMeter.mark();
+          failureReason = "accountDisabled";
           return Optional.empty();
         }
       }
 
       if (device.get().getAuthenticationCredentials().verify(basicCredentials.getPassword())) {
-        authenticationSucceededMeter.mark();
-        account.get().setAuthenticatedDevice(device.get());
-        updateLastSeen(account.get(), device.get());
-        return account;
+        succeeded = true;
+        final Account authenticatedAccount = updateLastSeen(account.get(), device.get());
+        return Optional.of(new AuthenticatedAccount(
+            new RefreshingAccountAndDeviceSupplier(authenticatedAccount, device.get().getId(), accountsManager)));
       }
 
-      authenticationFailedMeter.mark();
       return Optional.empty();
     } catch (IllegalArgumentException | InvalidAuthorizationHeaderException iae) {
-      invalidAuthHeaderMeter.mark();
+      failureReason = "invalidHeader";
       return Optional.empty();
+    } finally {
+      Tags tags = Tags.of(
+          AUTHENTICATION_SUCCEEDED_TAG_NAME, String.valueOf(succeeded),
+          AUTHENTICATION_ENABLED_REQUIRED_TAG_NAME, String.valueOf(enabledRequired));
+
+      if (StringUtils.isNotBlank(failureReason)) {
+        tags = tags.and(AUTHENTICATION_FAILURE_REASON_TAG_NAME, failureReason);
+      }
+
+      Metrics.counter(AUTHENTICATION_COUNTER_NAME, tags).increment();
     }
   }
 
   @VisibleForTesting
-  public void updateLastSeen(Account account, Device device) {
+  public Account updateLastSeen(Account account, Device device) {
     final long lastSeenOffsetSeconds   = Math.abs(account.getUuid().getLeastSignificantBits()) % ChronoUnit.DAYS.getDuration().toSeconds();
     final long todayInMillisWithOffset = Util.todayInMillisGivenOffsetFromNow(clock, Duration.ofSeconds(lastSeenOffsetSeconds).negated());
 
     if (device.getLastSeen() < todayInMillisWithOffset) {
-      device.setLastSeen(Util.todayInMillis(clock));
-      accountsManager.update(account);
+      Metrics.summary(DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME, IS_PRIMARY_DEVICE_TAG, String.valueOf(device.isMaster()))
+          .record(Duration.ofMillis(todayInMillisWithOffset - device.getLastSeen()).toDays());
+
+      return accountsManager.updateDeviceLastSeen(account, device, Util.todayInMillis(clock));
     }
+
+    return account;
   }
 
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/BasicAuthorizationHeader.java

@@ -0,0 +1,96 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.auth;
+
+import java.util.Base64;
+import java.util.UUID;
+import org.apache.commons.lang3.StringUtils;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.util.Pair;
+
+public class BasicAuthorizationHeader {
+
+  private final String username;
+  private final long deviceId;
+  private final String password;
+
+  private BasicAuthorizationHeader(final String username, final long deviceId, final String password) {
+    this.username = username;
+    this.deviceId = deviceId;
+    this.password = password;
+  }
+
+  public static BasicAuthorizationHeader fromString(final String header) throws InvalidAuthorizationHeaderException {
+    try {
+      if (StringUtils.isBlank(header)) {
+        throw new InvalidAuthorizationHeaderException("Blank header");
+      }
+
+      final int spaceIndex = header.indexOf(' ');
+
+      if (spaceIndex == -1) {
+        throw new InvalidAuthorizationHeaderException("Invalid authorization header: " + header);
+      }
+
+      final String authorizationType = header.substring(0, spaceIndex);
+
+      if (!"Basic".equals(authorizationType)) {
+        throw new InvalidAuthorizationHeaderException("Unsupported authorization method: " + authorizationType);
+      }
+
+      final String credentials;
+
+      try {
+        credentials = new String(Base64.getDecoder().decode(header.substring(spaceIndex + 1)));
+      } catch (final IndexOutOfBoundsException e) {
+        throw new InvalidAuthorizationHeaderException("Missing credentials");
+      }
+
+      if (StringUtils.isEmpty(credentials)) {
+        throw new InvalidAuthorizationHeaderException("Bad decoded value: " + credentials);
+      }
+
+      final int credentialSeparatorIndex = credentials.indexOf(':');
+
+      if (credentialSeparatorIndex == -1) {
+        throw new InvalidAuthorizationHeaderException("Badly-formatted credentials: " + credentials);
+      }
+
+      final String usernameComponent = credentials.substring(0, credentialSeparatorIndex);
+
+      final String username;
+      final long deviceId;
+      {
+        final Pair<String, Long> identifierAndDeviceId =
+            BaseAccountAuthenticator.getIdentifierAndDeviceId(usernameComponent);
+
+        username = identifierAndDeviceId.first();
+        deviceId = identifierAndDeviceId.second();
+      }
+
+      final String password = credentials.substring(credentialSeparatorIndex + 1);
+
+      if (StringUtils.isAnyBlank(username, password)) {
+        throw new InvalidAuthorizationHeaderException("Username or password were blank");
+      }
+
+      return new BasicAuthorizationHeader(username, deviceId, password);
+    } catch (final IllegalArgumentException | IndexOutOfBoundsException e) {
+      throw new InvalidAuthorizationHeaderException(e);
+    }
+  }
+
+  public String getUsername() {
+    return username;
+  }
+
+  public long getDeviceId() {
+    return deviceId;
+  }
+
+  public String getPassword() {
+    return password;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/CertificateGenerator.java

@@ -13,10 +13,10 @@ import org.whispersystems.textsecuregcm.entities.MessageProtos.SenderCertificate
 import org.whispersystems.textsecuregcm.entities.MessageProtos.ServerCertificate;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.Device;
-import org.whispersystems.textsecuregcm.util.Base64;
 
 import java.io.IOException;
 import java.security.InvalidKeyException;
+import java.util.Base64;
 import java.util.concurrent.TimeUnit;
 
 public class CertificateGenerator {
@@ -33,11 +33,11 @@ public class CertificateGenerator {
     this.serverCertificate = ServerCertificate.parseFrom(serverCertificate);
   }
 
-  public byte[] createFor(Account account, Device device, boolean includeE164) throws IOException, InvalidKeyException {
+  public byte[] createFor(Account account, Device device, boolean includeE164) throws InvalidKeyException {
     SenderCertificate.Certificate.Builder builder = SenderCertificate.Certificate.newBuilder()
                                                                                  .setSenderDevice(Math.toIntExact(device.getId()))
                                                                                  .setExpires(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(expiresDays))
-                                                                                 .setIdentityKey(ByteString.copyFrom(Base64.decode(account.getIdentityKey())))
+                                                                                 .setIdentityKey(ByteString.copyFrom(Base64.getDecoder().decode(account.getIdentityKey())))
                                                                                  .setSigner(serverCertificate)
                                                                                  .setSenderUuid(account.getUuid().toString());
 

service/src/main/java/org/whispersystems/textsecuregcm/auth/ChangesDeviceEnabledState.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Indicates that an endpoint may change the "enabled" state of one or more devices associated with an account, and that
+ * any websockets associated with the account may need to be refreshed after a call to that endpoint.
+ */
+@Target(ElementType.METHOD)
+@Retention(RetentionPolicy.RUNTIME)
+public @interface ChangesDeviceEnabledState {
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/CombinedUnidentifiedSenderAccessKeys.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.util.Base64;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
+
+public class CombinedUnidentifiedSenderAccessKeys {
+  private final byte[] combinedUnidentifiedSenderAccessKeys;
+
+  public CombinedUnidentifiedSenderAccessKeys(String header) {
+    try {
+      this.combinedUnidentifiedSenderAccessKeys = Base64.getDecoder().decode(header);
+      if (this.combinedUnidentifiedSenderAccessKeys == null || this.combinedUnidentifiedSenderAccessKeys.length != 16) {
+        throw new WebApplicationException("Invalid combined unidentified sender access keys", Status.UNAUTHORIZED);
+      }
+    } catch (IllegalArgumentException e) {
+      throw new WebApplicationException(e, Response.Status.UNAUTHORIZED);
+    }
+  }
+
+  public byte[] getAccessKeys() {
+    return combinedUnidentifiedSenderAccessKeys;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/ContainerRequestUtil.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import org.glassfish.jersey.server.ContainerRequest;
+import org.whispersystems.textsecuregcm.storage.Account;
+import javax.ws.rs.core.SecurityContext;
+import java.util.Optional;
+
+class ContainerRequestUtil {
+
+  static Optional<Account> getAuthenticatedAccount(final ContainerRequest request) {
+    return Optional.ofNullable(request.getSecurityContext())
+        .map(SecurityContext::getUserPrincipal)
+        .map(principal -> principal instanceof AccountAndAuthenticatedDeviceHolder
+            ? ((AccountAndAuthenticatedDeviceHolder) principal).getAccount() : null);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/DisabledPermittedAccount.java

@@ -1,36 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import org.whispersystems.textsecuregcm.storage.Account;
-
-import javax.security.auth.Subject;
-import java.security.Principal;
-
-public class DisabledPermittedAccount implements Principal  {
-
-  private final Account account;
-
-  public DisabledPermittedAccount(Account account) {
-    this.account = account;
-  }
-
-  public Account getAccount() {
-    return account;
-  }
-
-  // Principal implementation
-
-  @Override
-  public String getName() {
-    return null;
-  }
-
-  @Override
-  public boolean implies(Subject subject) {
-    return false;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/auth/DisabledPermittedAccountAuthenticator.java

@@ -1,27 +1,25 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013-2021 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.auth;
 
-import org.whispersystems.textsecuregcm.storage.Account;
-import org.whispersystems.textsecuregcm.storage.AccountsManager;
-
-import java.util.Optional;
-
 import io.dropwizard.auth.Authenticator;
 import io.dropwizard.auth.basic.BasicCredentials;
+import java.util.Optional;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
 
-public class DisabledPermittedAccountAuthenticator extends BaseAccountAuthenticator implements Authenticator<BasicCredentials, DisabledPermittedAccount> {
+public class DisabledPermittedAccountAuthenticator extends BaseAccountAuthenticator implements
+    Authenticator<BasicCredentials, DisabledPermittedAuthenticatedAccount> {
 
   public DisabledPermittedAccountAuthenticator(AccountsManager accountsManager) {
     super(accountsManager);
   }
-  
+
   @Override
-  public Optional<DisabledPermittedAccount> authenticate(BasicCredentials credentials) {
-    Optional<Account> account = super.authenticate(credentials, false);
-    return account.map(DisabledPermittedAccount::new);
+  public Optional<DisabledPermittedAuthenticatedAccount> authenticate(BasicCredentials credentials) {
+    Optional<AuthenticatedAccount> account = super.authenticate(credentials, false);
+    return account.map(DisabledPermittedAuthenticatedAccount::new);
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/DisabledPermittedAuthenticatedAccount.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.security.Principal;
+import javax.security.auth.Subject;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public class DisabledPermittedAuthenticatedAccount implements Principal, AccountAndAuthenticatedDeviceHolder {
+
+  private final AuthenticatedAccount authenticatedAccount;
+
+  public DisabledPermittedAuthenticatedAccount(final AuthenticatedAccount authenticatedAccount) {
+    this.authenticatedAccount = authenticatedAccount;
+  }
+
+  @Override
+  public Account getAccount() {
+    return authenticatedAccount.getAccount();
+  }
+
+  @Override
+  public Device getAuthenticatedDevice() {
+    return authenticatedAccount.getAuthenticatedDevice();
+  }
+
+  // Principal implementation
+
+  @Override
+  public String getName() {
+    return null;
+  }
+
+  @Override
+  public boolean implies(Subject subject) {
+    return false;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialGenerator.java

@@ -1,97 +1,71 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013-2021 Signal Messenger, LLC
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 package org.whispersystems.textsecuregcm.auth;
 
-import org.apache.commons.codec.DecoderException;
-import org.apache.commons.codec.binary.Hex;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.whispersystems.textsecuregcm.util.Util;
-
+import com.google.common.annotations.VisibleForTesting;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.time.Clock;
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
-import java.security.InvalidKeyException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.concurrent.TimeUnit;
+import org.apache.commons.codec.binary.Hex;
+import org.whispersystems.textsecuregcm.util.Util;
 
 public class ExternalServiceCredentialGenerator {
 
-  private final Logger logger = LoggerFactory.getLogger(ExternalServiceCredentialGenerator.class);
-
   private final byte[] key;
   private final byte[] userIdKey;
   private final boolean usernameDerivation;
+  private final boolean prependUsername;
+  private final Clock clock;
 
-  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation) {
-    this.key                = key;
-    this.userIdKey          = userIdKey;
-    this.usernameDerivation = usernameDerivation;
+  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey) {
+    this(key, userIdKey, true, true);
   }
 
-  public ExternalServiceCredentials generateFor(String number) {
-    Mac    mac                = getMacInstance();
-    String username           = getUserId(number, mac, usernameDerivation);
-    long   currentTimeSeconds = System.currentTimeMillis() / 1000;
-    String prefix             = username + ":"  + currentTimeSeconds;
-    String output             = Hex.encodeHexString(Util.truncate(getHmac(key, prefix.getBytes(), mac), 10));
-    String token              = prefix + ":" + output;
+  public ExternalServiceCredentialGenerator(byte[] key, boolean prependUsername) {
+    this(key, new byte[0], false, prependUsername);
+  }
+
+  @VisibleForTesting
+  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation) {
+    this(key, userIdKey, usernameDerivation, true);
+  }
+
+  private ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation,
+      boolean prependUsername) {
+    this(key, userIdKey, usernameDerivation, prependUsername, Clock.systemUTC());
+  }
+
+  @VisibleForTesting
+  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation,
+      boolean prependUsername, Clock clock) {
+    this.key = key;
+    this.userIdKey = userIdKey;
+    this.usernameDerivation = usernameDerivation;
+    this.prependUsername = prependUsername;
+    this.clock = clock;
+  }
+
+  public ExternalServiceCredentials generateFor(String identity) {
+    Mac mac = getMacInstance();
+    String username = getUserId(identity, mac, usernameDerivation);
+    long currentTimeSeconds = clock.millis() / 1000;
+    String prefix = username + ":" + currentTimeSeconds;
+    String output = Hex.encodeHexString(Util.truncate(getHmac(key, prefix.getBytes(), mac), 10));
+    String token = (prependUsername ? prefix : currentTimeSeconds) + ":" + output;
 
     return new ExternalServiceCredentials(username, token);
   }
 
-
-  public boolean isValid(String token, String number, long currentTimeMillis) {
-    String[] parts = token.split(":");
-    Mac      mac   = getMacInstance();
-
-    if (parts.length != 3) {
-      return false;
-    }
-
-    if (!getUserId(number, mac, usernameDerivation).equals(parts[0])) {
-      return false;
-    }
-
-    if (!isValidTime(parts[1], currentTimeMillis)) {
-      return false;
-    }
-
-    return isValidSignature(parts[0] + ":" + parts[1], parts[2], mac);
-  }
-
   private String getUserId(String number, Mac mac, boolean usernameDerivation) {
     if (usernameDerivation) return Hex.encodeHexString(Util.truncate(getHmac(userIdKey, number.getBytes(), mac), 10));
     else                    return number;
   }
 
-  private boolean isValidTime(String timeString, long currentTimeMillis) {
-    try {
-      long tokenTime = Long.parseLong(timeString);
-      long ourTime   = TimeUnit.MILLISECONDS.toSeconds(currentTimeMillis);
-
-      return TimeUnit.SECONDS.toHours(Math.abs(ourTime - tokenTime)) < 24;
-    } catch (NumberFormatException e) {
-      logger.warn("Number Format", e);
-      return false;
-    }
-  }
-
-  private boolean isValidSignature(String prefix, String suffix, Mac mac) {
-    try {
-      byte[] ourSuffix   = Util.truncate(getHmac(key, prefix.getBytes(), mac), 10);
-      byte[] theirSuffix = Hex.decodeHex(suffix.toCharArray());
-
-      return MessageDigest.isEqual(ourSuffix, theirSuffix);
-    } catch (DecoderException e) {
-      logger.warn("DirectoryCredentials", e);
-      return false;
-    }
-  }
-
   private Mac getMacInstance() {
     try {
       return Mac.getInstance("HmacSHA256");

service/src/main/java/org/whispersystems/textsecuregcm/auth/InvalidAuthorizationHeaderException.java

@@ -5,12 +5,15 @@
 package org.whispersystems.textsecuregcm.auth;
 
 
-public class InvalidAuthorizationHeaderException extends Exception {
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response.Status;
+
+public class InvalidAuthorizationHeaderException extends WebApplicationException {
   public InvalidAuthorizationHeaderException(String s) {
-    super(s);
+    super(s, Status.UNAUTHORIZED);
   }
 
   public InvalidAuthorizationHeaderException(Exception e) {
-    super(e);
+    super(e, Status.UNAUTHORIZED);
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/PhoneNumberChangeRefreshRequirementProvider.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+import java.util.stream.Collectors;
+import org.glassfish.jersey.server.ContainerRequest;
+import org.glassfish.jersey.server.monitoring.RequestEvent;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.util.Pair;
+
+public class PhoneNumberChangeRefreshRequirementProvider implements WebsocketRefreshRequirementProvider {
+
+  private static final String INITIAL_NUMBER_KEY =
+      PhoneNumberChangeRefreshRequirementProvider.class.getName() + ".initialNumber";
+
+  @Override
+  public void handleRequestFiltered(final RequestEvent requestEvent) {
+    ContainerRequestUtil.getAuthenticatedAccount(requestEvent.getContainerRequest())
+        .ifPresent(account -> requestEvent.getContainerRequest().setProperty(INITIAL_NUMBER_KEY, account.getNumber()));
+  }
+
+  @Override
+  public List<Pair<UUID, Long>> handleRequestFinished(final RequestEvent requestEvent) {
+    final String initialNumber = (String) requestEvent.getContainerRequest().getProperty(INITIAL_NUMBER_KEY);
+
+    if (initialNumber != null) {
+      final Optional<Account> maybeAuthenticatedAccount =
+          ContainerRequestUtil.getAuthenticatedAccount(requestEvent.getContainerRequest());
+
+      return maybeAuthenticatedAccount
+          .filter(account -> !initialNumber.equals(account.getNumber()))
+          .map(account -> account.getDevices().stream()
+              .map(device -> new Pair<>(account.getUuid(), device.getId()))
+              .collect(Collectors.toList()))
+          .orElse(Collections.emptyList());
+    } else {
+      return Collections.emptyList();
+    }
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/StoredRegistrationLock.java

@@ -9,7 +9,6 @@ import com.google.common.annotations.VisibleForTesting;
 import org.whispersystems.textsecuregcm.util.Util;
 
 import javax.annotation.Nullable;
-import java.security.MessageDigest;
 import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 
@@ -20,42 +19,33 @@ public class StoredRegistrationLock {
 
   private final Optional<String> registrationLockSalt;
 
-  private final Optional<String> deprecatedPin;
-
   private final long             lastSeen;
 
-  public StoredRegistrationLock(Optional<String> registrationLock, Optional<String> registrationLockSalt, Optional<String> deprecatedPin, long lastSeen) {
+  public StoredRegistrationLock(Optional<String> registrationLock, Optional<String> registrationLockSalt, long lastSeen) {
     this.registrationLock     = registrationLock;
     this.registrationLockSalt = registrationLockSalt;
-    this.deprecatedPin        = deprecatedPin;
     this.lastSeen             = lastSeen;
   }
 
   public boolean requiresClientRegistrationLock() {
-    return ((registrationLock.isPresent() && registrationLockSalt.isPresent())  || deprecatedPin.isPresent()) && System.currentTimeMillis() - lastSeen < TimeUnit.DAYS.toMillis(7);
+    return registrationLock.isPresent() && registrationLockSalt.isPresent() && System.currentTimeMillis() - lastSeen < TimeUnit.DAYS.toMillis(7);
   }
 
   public boolean needsFailureCredentials() {
     return registrationLock.isPresent() && registrationLockSalt.isPresent();
   }
 
-  public boolean hasDeprecatedPin() {
-    return deprecatedPin.isPresent();
-  }
-
   public long getTimeRemaining() {
     return TimeUnit.DAYS.toMillis(7) - (System.currentTimeMillis() - lastSeen);
   }
 
-  public boolean verify(@Nullable String clientRegistrationLock, @Nullable String clientDeprecatedPin) {
-    if (Util.isEmpty(clientRegistrationLock) && Util.isEmpty(clientDeprecatedPin)) {
+  public boolean verify(@Nullable String clientRegistrationLock) {
+    if (Util.isEmpty(clientRegistrationLock)) {
       return false;
     }
 
     if (registrationLock.isPresent() && registrationLockSalt.isPresent() && !Util.isEmpty(clientRegistrationLock)) {
       return new AuthenticationCredentials(registrationLock.get(), registrationLockSalt.get()).verify(clientRegistrationLock);
-    } else if (deprecatedPin.isPresent() && !Util.isEmpty(clientDeprecatedPin)) {
-      return MessageDigest.isEqual(deprecatedPin.get().getBytes(), clientDeprecatedPin.getBytes());
     } else {
       return false;
     }
@@ -63,6 +53,6 @@ public class StoredRegistrationLock {
 
   @VisibleForTesting
   public StoredRegistrationLock forTime(long timestamp) {
-    return new StoredRegistrationLock(registrationLock, registrationLockSalt, deprecatedPin, timestamp);
+    return new StoredRegistrationLock(registrationLock, registrationLockSalt, timestamp);
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/StoredVerificationCode.java

@@ -5,30 +5,42 @@
 
 package org.whispersystems.textsecuregcm.auth;
 
+import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
-
-import org.whispersystems.textsecuregcm.util.Util;
-
 import java.security.MessageDigest;
-import java.util.concurrent.TimeUnit;
+import java.time.Duration;
+import java.util.Optional;
+import javax.annotation.Nullable;
+import org.whispersystems.textsecuregcm.util.Util;
 
 public class StoredVerificationCode {
 
   @JsonProperty
-  private String code;
+  private final String code;
 
   @JsonProperty
-  private long   timestamp;
+  private final long timestamp;
 
   @JsonProperty
-  private String pushCode;
+  private final String pushCode;
 
-  public StoredVerificationCode() {}
+  @JsonProperty
+  @Nullable
+  private final String twilioVerificationSid;
 
-  public StoredVerificationCode(String code, long timestamp, String pushCode) {
-    this.code      = code;
+  public static final Duration EXPIRATION = Duration.ofMinutes(10);
+
+  @JsonCreator
+  public StoredVerificationCode(
+      @JsonProperty("code") final String code,
+      @JsonProperty("timestamp") final long timestamp,
+      @JsonProperty("pushCode") final String pushCode,
+      @JsonProperty("twilioVerificationSid") @Nullable final String twilioVerificationSid) {
+
+    this.code = code;
     this.timestamp = timestamp;
-    this.pushCode  = pushCode;
+    this.pushCode = pushCode;
+    this.twilioVerificationSid = twilioVerificationSid;
   }
 
   public String getCode() {
@@ -43,19 +55,18 @@ public class StoredVerificationCode {
     return pushCode;
   }
 
-  public boolean isValid(String theirCodeString) {
-    if (timestamp + TimeUnit.MINUTES.toMillis(10) < System.currentTimeMillis()) {
-      return false;
-    }
+  public Optional<String> getTwilioVerificationSid() {
+    return Optional.ofNullable(twilioVerificationSid);
+  }
 
+  public boolean isValid(String theirCodeString) {
     if (Util.isEmpty(code) || Util.isEmpty(theirCodeString)) {
       return false;
     }
 
-    byte[] ourCode   = code.getBytes();
+    byte[] ourCode = code.getBytes();
     byte[] theirCode = theirCodeString.getBytes();
 
     return MessageDigest.isEqual(ourCode, theirCode);
   }
-
 }

service/src/main/java/org/whispersystems/textsecuregcm/auth/TurnTokenGenerator.java

@@ -6,13 +6,13 @@
 package org.whispersystems.textsecuregcm.auth;
 
 import org.whispersystems.textsecuregcm.configuration.TurnConfiguration;
-import org.whispersystems.textsecuregcm.util.Base64;
 
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.util.Base64;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
 
@@ -34,7 +34,7 @@ public class TurnTokenGenerator {
       String userTime           = validUntilSeconds + ":"  + user;
 
       mac.init(new SecretKeySpec(key, "HmacSHA1"));
-      String password = Base64.encodeBytes(mac.doFinal(userTime.getBytes()));
+      String password = Base64.getEncoder().encodeToString(mac.doFinal(userTime.getBytes()));
 
       return new TurnToken(userTime, password, urls);
     } catch (NoSuchAlgorithmException | InvalidKeyException e) {

service/src/main/java/org/whispersystems/textsecuregcm/auth/UnidentifiedAccessChecksum.java

@@ -5,12 +5,11 @@
 
 package org.whispersystems.textsecuregcm.auth;
 
-import org.whispersystems.textsecuregcm.util.Base64;
-
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
 import java.util.Optional;
 
 @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
@@ -23,7 +22,7 @@ public class UnidentifiedAccessChecksum {
       Mac mac = Mac.getInstance("HmacSHA256");
       mac.init(new SecretKeySpec(unidentifiedAccessKey.get(), "HmacSHA256"));
 
-      return Base64.encodeBytes(mac.doFinal(new byte[32]));
+      return Base64.getEncoder().encodeToString(mac.doFinal(new byte[32]));
     } catch (NoSuchAlgorithmException | InvalidKeyException e) {
       throw new AssertionError(e);
     }

service/src/main/java/org/whispersystems/textsecuregcm/auth/WebsocketRefreshApplicationEventListener.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import org.glassfish.jersey.server.monitoring.ApplicationEvent;
+import org.glassfish.jersey.server.monitoring.ApplicationEventListener;
+import org.glassfish.jersey.server.monitoring.RequestEvent;
+import org.glassfish.jersey.server.monitoring.RequestEventListener;
+import org.whispersystems.textsecuregcm.push.ClientPresenceManager;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
+
+/**
+ * Delegates request events to a listener that watches for intra-request changes that require websocket refreshes
+ */
+public class WebsocketRefreshApplicationEventListener implements ApplicationEventListener {
+
+  private final WebsocketRefreshRequestEventListener websocketRefreshRequestEventListener;
+
+  public WebsocketRefreshApplicationEventListener(final AccountsManager accountsManager,
+      final ClientPresenceManager clientPresenceManager) {
+
+    this.websocketRefreshRequestEventListener = new WebsocketRefreshRequestEventListener(clientPresenceManager,
+        new AuthEnablementRefreshRequirementProvider(accountsManager),
+        new PhoneNumberChangeRefreshRequirementProvider());
+  }
+
+  @Override
+  public void onEvent(final ApplicationEvent event) {
+  }
+
+  @Override
+  public RequestEventListener onRequest(final RequestEvent requestEvent) {
+    return websocketRefreshRequestEventListener;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/WebsocketRefreshRequestEventListener.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.util.Arrays;
+import java.util.concurrent.atomic.AtomicInteger;
+import io.micrometer.core.instrument.Counter;
+import io.micrometer.core.instrument.Metrics;
+import org.glassfish.jersey.server.monitoring.RequestEvent;
+import org.glassfish.jersey.server.monitoring.RequestEvent.Type;
+import org.glassfish.jersey.server.monitoring.RequestEventListener;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.push.ClientPresenceManager;
+
+import javax.ws.rs.container.ResourceInfo;
+import javax.ws.rs.core.Context;
+
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
+public class WebsocketRefreshRequestEventListener implements RequestEventListener {
+
+  private final ClientPresenceManager clientPresenceManager;
+  private final WebsocketRefreshRequirementProvider[] providers;
+
+  private static final Counter DISPLACED_ACCOUNTS = Metrics.counter(
+      name(WebsocketRefreshRequestEventListener.class, "displacedAccounts"));
+
+  private static final Counter DISPLACED_DEVICES = Metrics.counter(
+      name(WebsocketRefreshRequestEventListener.class, "displacedDevices"));
+
+  private static final Logger logger = LoggerFactory.getLogger(WebsocketRefreshRequestEventListener.class);
+
+  public WebsocketRefreshRequestEventListener(
+      final ClientPresenceManager clientPresenceManager,
+      final WebsocketRefreshRequirementProvider... providers) {
+
+    this.clientPresenceManager = clientPresenceManager;
+    this.providers = providers;
+  }
+
+  @Context
+  private ResourceInfo resourceInfo;
+
+  @Override
+  public void onEvent(final RequestEvent event) {
+    if (event.getType() == Type.REQUEST_FILTERED) {
+      for (final WebsocketRefreshRequirementProvider provider : providers) {
+        provider.handleRequestFiltered(event);
+      }
+    } else if (event.getType() == Type.FINISHED) {
+      final AtomicInteger displacedDevices = new AtomicInteger(0);
+
+      Arrays.stream(providers)
+          .flatMap(provider -> provider.handleRequestFinished(event).stream())
+          .distinct()
+          .forEach(pair -> {
+            try {
+              displacedDevices.incrementAndGet();
+              clientPresenceManager.displacePresence(pair.first(), pair.second());
+            } catch (final Exception e) {
+              logger.error("Could not displace device presence", e);
+            }
+          });
+
+      if (displacedDevices.get() > 0) {
+        DISPLACED_ACCOUNTS.increment();
+        DISPLACED_DEVICES.increment(displacedDevices.get());
+      }
+    }
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/auth/WebsocketRefreshRequirementProvider.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.util.List;
+import java.util.UUID;
+import org.glassfish.jersey.server.ContainerRequest;
+import org.glassfish.jersey.server.monitoring.RequestEvent;
+import org.whispersystems.textsecuregcm.util.Pair;
+
+/**
+ * A websocket refresh requirement provider watches for intra-request changes (e.g. to authentication status) that
+ * require a websocket refresh.
+ */
+public interface WebsocketRefreshRequirementProvider {
+
+  /**
+   * Processes a request after filters have run and the request has been mapped to a destination controller.
+   *
+   * @param requestEvent the request event to observe
+   */
+  void handleRequestFiltered(RequestEvent requestEvent);
+
+  /**
+   * Processes a request after all normal request handling has been completed.
+   *
+   * @param requestEvent the request event to observe
+   * @return a list of pairs of account UUID/device ID pairs identifying websockets that need to be refreshed as a
+   * result of the observed request
+   */
+  List<Pair<UUID, Long>> handleRequestFinished(RequestEvent requestEvent);
+}

service/src/main/java/org/whispersystems/textsecuregcm/badges/BadgeTranslator.java

@@ -0,0 +1,14 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.badges;
+
+import java.util.List;
+import java.util.Locale;
+import org.whispersystems.textsecuregcm.entities.Badge;
+
+public interface BadgeTranslator {
+  Badge translate(List<Locale> acceptableLanguages, String badgeId);
+}

service/src/main/java/org/whispersystems/textsecuregcm/badges/ConfiguredProfileBadgeConverter.java

@@ -0,0 +1,131 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.badges;
+
+import com.google.common.annotations.VisibleForTesting;
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.ResourceBundle;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import org.signal.i18n.HeaderControlledResourceBundleLookup;
+import org.whispersystems.textsecuregcm.configuration.BadgeConfiguration;
+import org.whispersystems.textsecuregcm.configuration.BadgesConfiguration;
+import org.whispersystems.textsecuregcm.entities.Badge;
+import org.whispersystems.textsecuregcm.entities.BadgeSvg;
+import org.whispersystems.textsecuregcm.entities.SelfBadge;
+import org.whispersystems.textsecuregcm.storage.AccountBadge;
+
+public class ConfiguredProfileBadgeConverter implements ProfileBadgeConverter, BadgeTranslator {
+
+  @VisibleForTesting
+  static final String BASE_NAME = "org.signal.badges.Badges";
+
+  private final Clock clock;
+  private final Map<String, BadgeConfiguration> knownBadges;
+  private final List<String> badgeIdsEnabledForAll;
+  private final HeaderControlledResourceBundleLookup headerControlledResourceBundleLookup;
+
+  public ConfiguredProfileBadgeConverter(
+      final Clock clock,
+      final BadgesConfiguration badgesConfiguration,
+      final HeaderControlledResourceBundleLookup headerControlledResourceBundleLookup) {
+    this.clock = clock;
+    this.knownBadges = badgesConfiguration.getBadges().stream()
+        .collect(Collectors.toMap(BadgeConfiguration::getId, Function.identity()));
+    this.badgeIdsEnabledForAll = badgesConfiguration.getBadgeIdsEnabledForAll();
+    this.headerControlledResourceBundleLookup = headerControlledResourceBundleLookup;
+  }
+
+  @Override
+  public Badge translate(final List<Locale> acceptableLanguages, final String badgeId) {
+    final ResourceBundle resourceBundle = headerControlledResourceBundleLookup.getResourceBundle(BASE_NAME,
+        acceptableLanguages);
+    final BadgeConfiguration configuration = knownBadges.get(badgeId);
+    return newBadge(
+        false,
+        configuration.getId(),
+        configuration.getCategory(),
+        resourceBundle.getString(configuration.getId() + "_name"),
+        resourceBundle.getString(configuration.getId() + "_description"),
+        configuration.getSprites(),
+        configuration.getSvg(),
+        configuration.getSvgs(),
+        null,
+        false);
+  }
+
+  @Override
+  public List<Badge> convert(
+      final List<Locale> acceptableLanguages,
+      final List<AccountBadge> accountBadges,
+      final boolean isSelf) {
+    if (accountBadges.isEmpty() && badgeIdsEnabledForAll.isEmpty()) {
+      return List.of();
+    }
+
+    final Instant now = clock.instant();
+    final ResourceBundle resourceBundle = headerControlledResourceBundleLookup.getResourceBundle(BASE_NAME,
+        acceptableLanguages);
+    List<Badge> badges = accountBadges.stream()
+        .filter(accountBadge -> (isSelf || accountBadge.isVisible())
+            && now.isBefore(accountBadge.getExpiration())
+            && knownBadges.containsKey(accountBadge.getId()))
+        .map(accountBadge -> {
+          BadgeConfiguration configuration = knownBadges.get(accountBadge.getId());
+          return newBadge(
+              isSelf,
+              accountBadge.getId(),
+              configuration.getCategory(),
+              resourceBundle.getString(accountBadge.getId() + "_name"),
+              resourceBundle.getString(accountBadge.getId() + "_description"),
+              configuration.getSprites(),
+              configuration.getSvg(),
+              configuration.getSvgs(),
+              accountBadge.getExpiration(),
+              accountBadge.isVisible());
+        })
+        .collect(Collectors.toCollection(ArrayList::new));
+    badges.addAll(badgeIdsEnabledForAll.stream().filter(knownBadges::containsKey).map(id -> {
+      BadgeConfiguration configuration = knownBadges.get(id);
+      return newBadge(
+          isSelf,
+          id,
+          configuration.getCategory(),
+          resourceBundle.getString(id + "_name"),
+          resourceBundle.getString(id + "_description"),
+          configuration.getSprites(),
+          configuration.getSvg(),
+          configuration.getSvgs(),
+          now.plus(Duration.ofDays(1)),
+          true);
+    }).collect(Collectors.toList()));
+    return badges;
+  }
+
+  private Badge newBadge(
+      final boolean isSelf,
+      final String id,
+      final String category,
+      final String name,
+      final String description,
+      final List<String> sprites,
+      final String svg,
+      final List<BadgeSvg> svgs,
+      final Instant expiration,
+      final boolean visible) {
+    if (isSelf) {
+      return new SelfBadge(id, category, name, description, sprites, svg, svgs, expiration, visible);
+    } else {
+      return new Badge(id, category, name, description, sprites, svg, svgs);
+    }
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/badges/LevelTranslator.java

@@ -0,0 +1,13 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.badges;
+
+import java.util.List;
+import java.util.Locale;
+
+public interface LevelTranslator {
+  String translate(List<Locale> acceptableLanguages, String badgeId);
+}

service/src/main/java/org/whispersystems/textsecuregcm/badges/ProfileBadgeConverter.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.badges;
+
+import java.util.List;
+import java.util.Locale;
+import org.whispersystems.textsecuregcm.entities.Badge;
+import org.whispersystems.textsecuregcm.storage.AccountBadge;
+
+public interface ProfileBadgeConverter {
+
+  /**
+   * Converts the {@link AccountBadge}s for an account into the objects
+   * that can be returned on a profile fetch.
+   */
+  List<Badge> convert(List<Locale> acceptableLanguages, List<AccountBadge> accountBadges, boolean isSelf);
+}

service/src/main/java/org/whispersystems/textsecuregcm/badges/ResourceBundleLevelTranslator.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.badges;
+
+import java.util.List;
+import java.util.Locale;
+import java.util.Objects;
+import java.util.ResourceBundle;
+import javax.annotation.Nonnull;
+import org.signal.i18n.HeaderControlledResourceBundleLookup;
+
+public class ResourceBundleLevelTranslator implements LevelTranslator {
+
+  private static final String BASE_NAME = "org.signal.subscriptions.Subscriptions";
+
+  private final HeaderControlledResourceBundleLookup headerControlledResourceBundleLookup;
+
+  public ResourceBundleLevelTranslator(
+      @Nonnull final HeaderControlledResourceBundleLookup headerControlledResourceBundleLookup) {
+    this.headerControlledResourceBundleLookup = Objects.requireNonNull(headerControlledResourceBundleLookup);
+  }
+
+  @Override
+  public String translate(final List<Locale> acceptableLanguages, final String badgeId) {
+    final ResourceBundle resourceBundle = headerControlledResourceBundleLookup.getResourceBundle(BASE_NAME,
+        acceptableLanguages);
+    return resourceBundle.getString(badgeId);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AbusiveMessageFilterConfiguration.java

@@ -0,0 +1,26 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.NotBlank;
+
+public class AbusiveMessageFilterConfiguration {
+
+  @JsonProperty
+  @NotBlank
+  private final String environment;
+
+  @JsonCreator
+  public AbusiveMessageFilterConfiguration(@JsonProperty("environment") final String environment) {
+    this.environment = environment;
+  }
+
+  public String getEnvironment() {
+    return environment;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/AccountsDynamoDbConfiguration.java

@@ -0,0 +1,31 @@
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.NotNull;
+
+public class AccountsDynamoDbConfiguration extends DynamoDbConfiguration {
+
+  @NotNull
+  private String phoneNumberTableName;
+
+  @NotNull
+  private String phoneNumberIdentifierTableName;
+
+  private int scanPageSize = 100;
+
+  @JsonProperty
+  public String getPhoneNumberTableName() {
+    return phoneNumberTableName;
+  }
+
+  @JsonProperty
+  public String getPhoneNumberIdentifierTableName() {
+    return phoneNumberIdentifierTableName;
+  }
+
+  @JsonProperty
+  public int getScanPageSize() {
+    return scanPageSize;
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/BadgeConfiguration.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.List;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.entities.BadgeSvg;
+import org.whispersystems.textsecuregcm.util.ExactlySize;
+
+public class BadgeConfiguration {
+  public static final String CATEGORY_TESTING = "testing";
+
+  private final String id;
+  private final String category;
+  private final List<String> sprites;
+  private final String svg;
+  private final List<BadgeSvg> svgs;
+
+  @JsonCreator
+  public BadgeConfiguration(
+      @JsonProperty("id") final String id,
+      @JsonProperty("category") final String category,
+      @JsonProperty("sprites") final List<String> sprites,
+      @JsonProperty("svg") final String svg,
+      @JsonProperty("svgs") final List<BadgeSvg> svgs) {
+    this.id = id;
+    this.category = category;
+    this.sprites = sprites;
+    this.svg = svg;
+    this.svgs = svgs;
+  }
+
+  @NotEmpty
+  public String getId() {
+    return id;
+  }
+
+  @NotEmpty
+  public String getCategory() {
+    return category;
+  }
+
+  @NotNull
+  @ExactlySize(6)
+  public List<String> getSprites() {
+    return sprites;
+  }
+
+  @NotEmpty
+  public String getSvg() {
+    return svg;
+  }
+
+  @NotNull
+  public List<BadgeSvg> getSvgs() {
+    return svgs;
+  }
+
+  public boolean isTestBadge() {
+    return CATEGORY_TESTING.equals(category);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/BadgesConfiguration.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonSetter;
+import com.fasterxml.jackson.annotation.Nulls;
+import io.dropwizard.validation.ValidationMethod;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+import java.util.stream.Collectors;
+import javax.validation.Valid;
+import javax.validation.constraints.NotNull;
+
+public class BadgesConfiguration {
+  private final List<BadgeConfiguration> badges;
+  private final List<String> badgeIdsEnabledForAll;
+  private final Map<Long, String> receiptLevels;
+
+  @JsonCreator
+  public BadgesConfiguration(
+      @JsonProperty("badges") @JsonSetter(nulls = Nulls.AS_EMPTY) final List<BadgeConfiguration> badges,
+      @JsonProperty("badgeIdsEnabledForAll") @JsonSetter(nulls = Nulls.AS_EMPTY) final List<String> badgeIdsEnabledForAll,
+      @JsonProperty("receiptLevels") @JsonSetter(nulls = Nulls.AS_EMPTY) final Map<Long, String> receiptLevels) {
+    this.badges = Objects.requireNonNull(badges);
+    this.badgeIdsEnabledForAll = Objects.requireNonNull(badgeIdsEnabledForAll);
+    this.receiptLevels = Objects.requireNonNull(receiptLevels);
+  }
+
+  @Valid
+  @NotNull
+  public List<BadgeConfiguration> getBadges() {
+    return badges;
+  }
+
+  @Valid
+  @NotNull
+  public List<String> getBadgeIdsEnabledForAll() {
+    return badgeIdsEnabledForAll;
+  }
+
+  @Valid
+  @NotNull
+  public Map<Long, String> getReceiptLevels() {
+    return receiptLevels;
+  }
+
+  @JsonIgnore
+  @ValidationMethod(message = "contains receipt level mappings that are not configured badges")
+  public boolean isAllReceiptLevelsConfigured() {
+    final Set<String> badgeNames = badges.stream().map(BadgeConfiguration::getId).collect(Collectors.toSet());
+    return badgeNames.containsAll(receiptLevels.values());
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/BoostConfiguration.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.math.BigDecimal;
+import java.time.Duration;
+import java.util.List;
+import java.util.Map;
+import javax.validation.Valid;
+import javax.validation.constraints.DecimalMin;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+import org.whispersystems.textsecuregcm.util.ExactlySize;
+
+public class BoostConfiguration {
+
+  private final long level;
+  private final Duration expiration;
+  private final Map<String, List<BigDecimal>> currencies;
+  private final String badge;
+
+  @JsonCreator
+  public BoostConfiguration(
+      @JsonProperty("level") long level,
+      @JsonProperty("expiration") Duration expiration,
+      @JsonProperty("currencies") Map<String, List<BigDecimal>> currencies,
+      @JsonProperty("badge") String badge) {
+    this.level = level;
+    this.expiration = expiration;
+    this.currencies = currencies;
+    this.badge = badge;
+  }
+
+  public long getLevel() {
+    return level;
+  }
+
+  @NotNull
+  public Duration getExpiration() {
+    return expiration;
+  }
+
+  @Valid
+  @NotNull
+  public Map<@NotEmpty String, @Valid @ExactlySize(6) List<@DecimalMin("0.01") @NotNull BigDecimal>> getCurrencies() {
+    return currencies;
+  }
+
+  @NotEmpty
+  public String getBadge() {
+    return badge;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/CircuitBreakerConfiguration.java

@@ -7,15 +7,15 @@ package org.whispersystems.textsecuregcm.configuration;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.google.common.annotations.VisibleForTesting;
-
+import io.github.resilience4j.circuitbreaker.CircuitBreakerConfig;
+import java.time.Duration;
+import java.util.Collections;
+import java.util.List;
+import java.util.stream.Collectors;
 import javax.validation.constraints.Max;
 import javax.validation.constraints.Min;
 import javax.validation.constraints.NotNull;
 
-import java.time.Duration;
-
-import io.github.resilience4j.circuitbreaker.CircuitBreakerConfig;
-
 public class CircuitBreakerConfiguration {
 
   @JsonProperty
@@ -39,6 +39,9 @@ public class CircuitBreakerConfiguration {
   @Min(1)
   private long waitDurationInOpenStateInSeconds = 10;
 
+  @JsonProperty
+  private List<String> ignoredExceptions = Collections.emptyList();
+
 
   public int getFailureRateThreshold() {
     return failureRateThreshold;
@@ -56,6 +59,18 @@ public class CircuitBreakerConfiguration {
     return waitDurationInOpenStateInSeconds;
   }
 
+  public List<Class> getIgnoredExceptions() {
+      return ignoredExceptions.stream()
+          .map(name -> {
+             try {
+               return Class.forName(name);
+             } catch (final ClassNotFoundException e) {
+               throw new RuntimeException(e);
+             }
+          })
+          .collect(Collectors.toList());
+  }
+
   @VisibleForTesting
   public void setFailureRateThreshold(int failureRateThreshold) {
     this.failureRateThreshold = failureRateThreshold;
@@ -76,9 +91,15 @@ public class CircuitBreakerConfiguration {
     this.waitDurationInOpenStateInSeconds = seconds;
   }
 
+  @VisibleForTesting
+  public void setIgnoredExceptions(final List<String> ignoredExceptions) {
+    this.ignoredExceptions = ignoredExceptions;
+  }
+
   public CircuitBreakerConfig toCircuitBreakerConfig() {
     return CircuitBreakerConfig.custom()
                         .failureRateThreshold(getFailureRateThreshold())
+                        .ignoreExceptions(getIgnoredExceptions().toArray(new Class[0]))
                         .ringBufferSizeInHalfOpenState(getRingBufferSizeInHalfOpenState())
                         .waitDurationInOpenState(Duration.ofSeconds(getWaitDurationInOpenStateInSeconds()))
                         .ringBufferSizeInClosedState(getRingBufferSizeInClosedState())

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DatadogConfiguration.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import io.micrometer.datadog.DatadogConfig;
+import javax.validation.constraints.Min;
+import javax.validation.constraints.NotBlank;
+import javax.validation.constraints.NotNull;
+import java.time.Duration;
+
+public class DatadogConfiguration implements DatadogConfig {
+
+  @JsonProperty
+  @NotBlank
+  private String apiKey;
+
+  @JsonProperty
+  @NotNull
+  private Duration step = Duration.ofSeconds(10);
+
+  @JsonProperty
+  @NotBlank
+  private String environment;
+
+  @JsonProperty
+  @Min(1)
+  private int batchSize = 5_000;
+
+  @Override
+  public String apiKey() {
+    return apiKey;
+  }
+
+  @Override
+  public Duration step() {
+    return step;
+  }
+
+  public String getEnvironment() {
+    return environment;
+  }
+
+  @Override
+  public int batchSize() {
+    return batchSize;
+  }
+
+  @Override
+  public String hostTag() {
+    return "host";
+  }
+
+  @Override
+  public String get(final String key) {
+    return null;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DeletedAccountsDynamoDbConfiguration.java

@@ -0,0 +1,13 @@
+package org.whispersystems.textsecuregcm.configuration;
+
+import javax.validation.constraints.NotNull;
+
+public class DeletedAccountsDynamoDbConfiguration extends DynamoDbConfiguration {
+
+  @NotNull
+  private String needsReconciliationIndexName;
+
+  public String getNeedsReconciliationIndexName() {
+    return needsReconciliationIndexName;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryV2ClientConfiguration.java

@@ -0,0 +1,26 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import org.whispersystems.textsecuregcm.util.ExactlySize;
+
+public class DirectoryV2ClientConfiguration {
+
+  private final byte[] userAuthenticationTokenSharedSecret;
+
+  @JsonCreator
+  public DirectoryV2ClientConfiguration(
+      @JsonProperty("userAuthenticationTokenSharedSecret") final byte[] userAuthenticationTokenSharedSecret) {
+    this.userAuthenticationTokenSharedSecret = userAuthenticationTokenSharedSecret;
+  }
+
+  @ExactlySize({32})
+  public byte[] getUserAuthenticationTokenSharedSecret() {
+    return userAuthenticationTokenSharedSecret;
+  }
+
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DirectoryV2Configuration.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright 2013-2020 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.Valid;
+
+public class DirectoryV2Configuration {
+
+  private final DirectoryV2ClientConfiguration clientConfiguration;
+
+  @JsonCreator
+  public DirectoryV2Configuration(@JsonProperty("client") DirectoryV2ClientConfiguration clientConfiguration) {
+    this.clientConfiguration = clientConfiguration;
+  }
+
+  @Valid
+  public DirectoryV2ClientConfiguration getDirectoryV2ClientConfiguration() {
+    return clientConfiguration;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DonationConfiguration.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.google.common.annotations.VisibleForTesting;
+import java.util.Set;
+import javax.validation.Valid;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+
+public class DonationConfiguration {
+
+  private String uri;
+  private String description;
+  private Set<String> supportedCurrencies;
+  private CircuitBreakerConfiguration circuitBreaker = new CircuitBreakerConfiguration();
+  private RetryConfiguration retry = new RetryConfiguration();
+
+  @JsonProperty
+  @NotEmpty
+  public String getUri() {
+    return uri;
+  }
+
+  @VisibleForTesting
+  public void setUri(final String uri) {
+    this.uri = uri;
+  }
+
+  @JsonProperty
+  public String getDescription() {
+    return description;
+  }
+
+  @VisibleForTesting
+  public void setDescription(final String description) {
+    this.description = description;
+  }
+
+  @JsonProperty
+  @NotEmpty
+  public Set<String> getSupportedCurrencies() {
+    return supportedCurrencies;
+  }
+
+  @VisibleForTesting
+  public void setSupportedCurrencies(final Set<String> supportedCurrencies) {
+    this.supportedCurrencies = supportedCurrencies;
+  }
+
+  @JsonProperty
+  @NotNull
+  @Valid
+  public CircuitBreakerConfiguration getCircuitBreaker() {
+    return circuitBreaker;
+  }
+
+  @VisibleForTesting
+  public void setCircuitBreaker(final CircuitBreakerConfiguration circuitBreaker) {
+    this.circuitBreaker = circuitBreaker;
+  }
+
+  @JsonProperty
+  @NotNull
+  @Valid
+  public RetryConfiguration getRetry() {
+    return retry;
+  }
+
+  @VisibleForTesting
+  public void setRetry(final RetryConfiguration retry) {
+    this.retry = retry;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DynamoDbClientConfiguration.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.time.Duration;
+import javax.validation.constraints.NotEmpty;
+
+public class DynamoDbClientConfiguration {
+
+  private final String region;
+  private final Duration clientExecutionTimeout;
+  private final Duration clientRequestTimeout;
+
+  @JsonCreator
+  public DynamoDbClientConfiguration(
+      @JsonProperty("region") final String region,
+      @JsonProperty("clientExcecutionTimeout") final Duration clientExecutionTimeout,
+      @JsonProperty("clientRequestTimeout") final Duration clientRequestTimeout) {
+    this.region = region;
+    this.clientExecutionTimeout = clientExecutionTimeout != null ? clientExecutionTimeout : Duration.ofSeconds(30);
+    this.clientRequestTimeout = clientRequestTimeout != null ? clientRequestTimeout : Duration.ofSeconds(10);
+  }
+
+  @NotEmpty
+  public String getRegion() {
+    return region;
+  }
+
+  public Duration getClientExecutionTimeout() {
+    return clientExecutionTimeout;
+  }
+
+  public Duration getClientRequestTimeout() {
+    return clientRequestTimeout;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/DynamoDbTables.java

@@ -0,0 +1,80 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.time.Duration;
+import javax.validation.Valid;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+
+public class DynamoDbTables {
+
+  public static class Table {
+    private final String tableName;
+
+    @JsonCreator
+    public Table(
+        @JsonProperty("tableName") final String tableName) {
+      this.tableName = tableName;
+    }
+
+    @NotEmpty
+    public String getTableName() {
+      return tableName;
+    }
+  }
+
+  public static class TableWithExpiration extends Table {
+    private final Duration expiration;
+
+    @JsonCreator
+    public TableWithExpiration(
+        @JsonProperty("tableName") final String tableName,
+        @JsonProperty("expiration") final Duration expiration) {
+      super(tableName);
+      this.expiration = expiration;
+    }
+
+    @NotNull
+    public Duration getExpiration() {
+      return expiration;
+    }
+  }
+
+  private final IssuedReceiptsTableConfiguration issuedReceipts;
+  private final TableWithExpiration redeemedReceipts;
+  private final Table subscriptions;
+
+  @JsonCreator
+  public DynamoDbTables(
+      @JsonProperty("issuedReceipts") final IssuedReceiptsTableConfiguration issuedReceipts,
+      @JsonProperty("redeemedReceipts") final TableWithExpiration redeemedReceipts,
+      @JsonProperty("subscriptions") final Table subscriptions) {
+    this.issuedReceipts = issuedReceipts;
+    this.redeemedReceipts = redeemedReceipts;
+    this.subscriptions = subscriptions;
+  }
+
+  @Valid
+  @NotNull
+  public IssuedReceiptsTableConfiguration getIssuedReceipts() {
+    return issuedReceipts;
+  }
+
+  @Valid
+  @NotNull
+  public TableWithExpiration getRedeemedReceipts() {
+    return redeemedReceipts;
+  }
+
+  @Valid
+  @NotNull
+  public Table getSubscriptions() {
+    return subscriptions;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/IssuedReceiptsTableConfiguration.java

@@ -0,0 +1,28 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.time.Duration;
+import javax.validation.constraints.NotEmpty;
+
+public class IssuedReceiptsTableConfiguration extends DynamoDbTables.TableWithExpiration {
+
+  private final byte[] generator;
+
+  public IssuedReceiptsTableConfiguration(
+      @JsonProperty("tableName") final String tableName,
+      @JsonProperty("expiration") final Duration expiration,
+      @JsonProperty("generator") final byte[] generator) {
+    super(tableName, expiration);
+    this.generator = generator;
+  }
+
+  @NotEmpty
+  public byte[] getGenerator() {
+    return generator;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/MessageDynamoDbConfiguration.java

@@ -5,13 +5,12 @@
 
 package org.whispersystems.textsecuregcm.configuration;
 
-import javax.validation.Valid;
-import javax.validation.constraints.NotEmpty;
 import java.time.Duration;
+import javax.validation.Valid;
 
 public class MessageDynamoDbConfiguration extends DynamoDbConfiguration {
 
-  private Duration timeToLive = Duration.ofDays(7);
+  private Duration timeToLive = Duration.ofDays(14);
 
   @Valid
   public Duration getTimeToLive() {

service/src/main/java/org/whispersystems/textsecuregcm/configuration/MicrometerConfiguration.java

@@ -1,29 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.fasterxml.jackson.annotation.JsonProperty;
-
-import javax.validation.constraints.NotEmpty;
-import javax.validation.constraints.Positive;
-
-public class MicrometerConfiguration {
-
-    @JsonProperty
-    private String uri;
-
-    @JsonProperty
-    @Positive
-    private int batchSize = 10_000;
-
-    public String getUri() {
-        return uri;
-    }
-
-    public int getBatchSize() {
-        return batchSize;
-    }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/PaymentsServiceConfiguration.java

@@ -9,7 +9,6 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import org.apache.commons.codec.DecoderException;
 import org.apache.commons.codec.binary.Hex;
 
-import javax.validation.constraints.Min;
 import javax.validation.constraints.NotEmpty;
 import java.util.List;
 

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RateLimitsConfiguration.java

@@ -63,6 +63,9 @@ public class RateLimitsConfiguration {
   @JsonProperty
   private RateLimitConfiguration usernameSet = new RateLimitConfiguration(100, 100 / (24.0 * 60.0));
 
+  @JsonProperty
+  private RateLimitConfiguration checkAccountExistence = new RateLimitConfiguration(1_000, 1_000 / 60.0);
+
   public RateLimitConfiguration getAutoBlock() {
     return autoBlock;
   }
@@ -135,6 +138,10 @@ public class RateLimitsConfiguration {
     return usernameSet;
   }
 
+  public RateLimitConfiguration getCheckAccountExistence() {
+    return checkAccountExistence;
+  }
+
   public static class RateLimitConfiguration {
     @JsonProperty
     private int bucketSize;
@@ -165,16 +172,12 @@ public class RateLimitsConfiguration {
     @JsonProperty
     private Duration ttl;
 
-    @JsonProperty
-    private Duration ttlJitter;
-
     public CardinalityRateLimitConfiguration() {
     }
 
-    public CardinalityRateLimitConfiguration(int maxCardinality, Duration ttl, Duration ttlJitter) {
+    public CardinalityRateLimitConfiguration(int maxCardinality, Duration ttl) {
       this.maxCardinality = maxCardinality;
       this.ttl = ttl;
-      this.ttlJitter = ttlJitter;
     }
 
     public int getMaxCardinality() {
@@ -184,9 +187,5 @@ public class RateLimitsConfiguration {
     public Duration getTtl() {
       return ttl;
     }
-
-    public Duration getTtlJitter() {
-      return ttlJitter;
-    }
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RecaptchaV2Configuration.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import java.math.BigDecimal;
+import javax.validation.constraints.DecimalMax;
+import javax.validation.constraints.DecimalMin;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+
+public class RecaptchaV2Configuration {
+
+  private BigDecimal scoreFloor;
+  private String projectPath;
+  private String siteKey;
+  private String credentialConfigurationJson;
+
+  @DecimalMin("0")
+  @DecimalMax("1")
+  @NotNull
+  public BigDecimal getScoreFloor() {
+    return scoreFloor;
+  }
+
+  @NotEmpty
+  public String getProjectPath() {
+    return projectPath;
+  }
+
+  @NotEmpty
+  public String getSiteKey() {
+    return siteKey;
+  }
+
+  @NotEmpty
+  public String getCredentialConfigurationJson() {
+    return credentialConfigurationJson;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/RedisClusterConfiguration.java

@@ -11,41 +11,40 @@ import javax.validation.Valid;
 import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.NotNull;
 import java.time.Duration;
-import java.util.List;
 
 public class RedisClusterConfiguration {
 
-    @JsonProperty
-    @NotEmpty
-    private List<String> urls;
+  @JsonProperty
+  @NotEmpty
+  private String configurationUri;
 
-    @JsonProperty
-    @NotNull
-    private Duration timeout = Duration.ofMillis(3_000);
+  @JsonProperty
+  @NotNull
+  private Duration timeout = Duration.ofMillis(3_000);
 
-    @JsonProperty
-    @NotNull
-    @Valid
-    private CircuitBreakerConfiguration circuitBreaker = new CircuitBreakerConfiguration();
+  @JsonProperty
+  @NotNull
+  @Valid
+  private CircuitBreakerConfiguration circuitBreaker = new CircuitBreakerConfiguration();
 
-    @JsonProperty
-    @NotNull
-    @Valid
-    private RetryConfiguration retry = new RetryConfiguration();
+  @JsonProperty
+  @NotNull
+  @Valid
+  private RetryConfiguration retry = new RetryConfiguration();
 
-    public List<String> getUrls() {
-        return urls;
-    }
+  public String getConfigurationUri() {
+    return configurationUri;
+  }
 
-    public Duration getTimeout() {
-        return timeout;
-    }
+  public Duration getTimeout() {
+    return timeout;
+  }
 
-    public CircuitBreakerConfiguration getCircuitBreakerConfiguration() {
-        return circuitBreaker;
-    }
+  public CircuitBreakerConfiguration getCircuitBreakerConfiguration() {
+    return circuitBreaker;
+  }
 
-    public RetryConfiguration getRetryConfiguration() {
-        return retry;
-    }
+  public RetryConfiguration getRetryConfiguration() {
+    return retry;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/ReportMessageConfiguration.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.NotNull;
+import java.time.Duration;
+
+public class ReportMessageConfiguration {
+
+  @JsonProperty
+  @NotNull
+  private final Duration reportTtl = Duration.ofDays(7);
+
+  @JsonProperty
+  @NotNull
+  private final Duration counterTtl = Duration.ofDays(1);
+
+  public Duration getReportTtl() {
+    return reportTtl;
+  }
+
+  public Duration getCounterTtl() {
+    return counterTtl;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureBackupServiceConfiguration.java

@@ -6,7 +6,11 @@
 package org.whispersystems.textsecuregcm.configuration;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.Valid;
+import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+import com.google.common.annotations.VisibleForTesting;
 import org.apache.commons.codec.DecoderException;
 import org.apache.commons.codec.binary.Hex;
 
@@ -16,8 +20,51 @@ public class SecureBackupServiceConfiguration {
   @JsonProperty
   private String userAuthenticationTokenSharedSecret;
 
+  @NotBlank
+  @JsonProperty
+  private String uri;
+
+  @NotBlank
+  @JsonProperty
+  private String backupCaCertificate;
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private CircuitBreakerConfiguration circuitBreaker = new CircuitBreakerConfiguration();
+
+  @NotNull
+  @Valid
+  @JsonProperty
+  private RetryConfiguration retry = new RetryConfiguration();
+
   public byte[] getUserAuthenticationTokenSharedSecret() throws DecoderException {
     return Hex.decodeHex(userAuthenticationTokenSharedSecret.toCharArray());
   }
 
+  @VisibleForTesting
+  public void setUri(final String uri) {
+    this.uri = uri;
+  }
+
+  public String getUri() {
+    return uri;
+  }
+
+  @VisibleForTesting
+  public void setBackupCaCertificate(final String backupCaCertificate) {
+    this.backupCaCertificate = backupCaCertificate;
+  }
+
+  public String getBackupCaCertificate() {
+    return backupCaCertificate;
+  }
+
+  public CircuitBreakerConfiguration getCircuitBreakerConfiguration() {
+    return circuitBreaker;
+  }
+
+  public RetryConfiguration getRetryConfiguration() {
+    return retry;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureStorageServiceConfiguration.java

@@ -24,6 +24,10 @@ public class SecureStorageServiceConfiguration {
   @JsonProperty
   private String uri;
 
+  @NotBlank
+  @JsonProperty
+  private String storageCaCertificate;
+
   @NotNull
   @Valid
   @JsonProperty
@@ -47,6 +51,15 @@ public class SecureStorageServiceConfiguration {
     return uri;
   }
 
+  @VisibleForTesting
+  public void setStorageCaCertificate(final String certificatePem) {
+    this.storageCaCertificate = certificatePem;
+  }
+
+  public String getStorageCaCertificate() {
+    return storageCaCertificate;
+  }
+
   public CircuitBreakerConfiguration getCircuitBreakerConfiguration() {
     return circuitBreaker;
   }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/StripeConfiguration.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import javax.validation.constraints.NotEmpty;
+
+public class StripeConfiguration {
+
+  private final String apiKey;
+  private final byte[] idempotencyKeyGenerator;
+  private final String boostDescription;
+
+  @JsonCreator
+  public StripeConfiguration(
+      @JsonProperty("apiKey") final String apiKey,
+      @JsonProperty("idempotencyKeyGenerator") final byte[] idempotencyKeyGenerator,
+      @JsonProperty("boostDescription") final String boostDescription) {
+    this.apiKey = apiKey;
+    this.idempotencyKeyGenerator = idempotencyKeyGenerator;
+    this.boostDescription = boostDescription;
+  }
+
+  @NotEmpty
+  public String getApiKey() {
+    return apiKey;
+  }
+
+  @NotEmpty
+  public byte[] getIdempotencyKeyGenerator() {
+    return idempotencyKeyGenerator;
+  }
+
+  @NotEmpty
+  public String getBoostDescription() {
+    return boostDescription;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/SubscriptionConfiguration.java

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import io.dropwizard.validation.ValidationMethod;
+import java.time.Duration;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+import javax.validation.Valid;
+import javax.validation.constraints.Min;
+import javax.validation.constraints.NotNull;
+
+public class SubscriptionConfiguration {
+
+  private final Duration badgeGracePeriod;
+  private final Map<Long, SubscriptionLevelConfiguration> levels;
+
+  @JsonCreator
+  public SubscriptionConfiguration(
+      @JsonProperty("badgeGracePeriod") @Valid Duration badgeGracePeriod,
+      @JsonProperty("levels") @Valid Map<@NotNull @Min(1) Long, @NotNull @Valid SubscriptionLevelConfiguration> levels) {
+    this.badgeGracePeriod = badgeGracePeriod;
+    this.levels = levels;
+  }
+
+  public Duration getBadgeGracePeriod() {
+    return badgeGracePeriod;
+  }
+
+  public Map<Long, SubscriptionLevelConfiguration> getLevels() {
+    return levels;
+  }
+
+  @JsonIgnore
+  @ValidationMethod(message = "has a mismatch between the levels supported currencies")
+  public boolean isCurrencyListSameAcrossAllLevels() {
+    Optional<SubscriptionLevelConfiguration> any = levels.values().stream().findAny();
+    if (any.isEmpty()) {
+      return true;
+    }
+
+    Set<String> currencies = any.get().getPrices().keySet();
+    return levels.values().stream().allMatch(level -> currencies.equals(level.getPrices().keySet()));
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/SubscriptionLevelConfiguration.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.Map;
+import javax.validation.Valid;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+
+public class SubscriptionLevelConfiguration {
+
+  private final String badge;
+  private final String product;
+  private final Map<String, SubscriptionPriceConfiguration> prices;
+
+  @JsonCreator
+  public SubscriptionLevelConfiguration(
+      @JsonProperty("badge") @NotEmpty String badge,
+      @JsonProperty("product") @NotEmpty String product,
+      @JsonProperty("prices") @Valid Map<@NotEmpty String, @NotNull @Valid SubscriptionPriceConfiguration> prices) {
+    this.badge = badge;
+    this.product = product;
+    this.prices = prices;
+  }
+
+  public String getBadge() {
+    return badge;
+  }
+
+  public String getProduct() {
+    return product;
+  }
+
+  public Map<String, SubscriptionPriceConfiguration> getPrices() {
+    return prices;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/SubscriptionPriceConfiguration.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.math.BigDecimal;
+import javax.validation.constraints.DecimalMin;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
+
+public class SubscriptionPriceConfiguration {
+
+  private final String id;
+  private final BigDecimal amount;
+
+  @JsonCreator
+  public SubscriptionPriceConfiguration(
+      @JsonProperty("id") @NotEmpty String id,
+      @JsonProperty("amount") @NotNull @DecimalMin("0.01") BigDecimal amount) {
+    this.id = id;
+    this.amount = amount;
+  }
+
+  public String getId() {
+    return id;
+  }
+
+  public BigDecimal getAmount() {
+    return amount;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/TwilioConfiguration.java

@@ -5,11 +5,11 @@
 package org.whispersystems.textsecuregcm.configuration;
 
 import com.google.common.annotations.VisibleForTesting;
-
+import java.util.Collections;
+import java.util.Map;
 import javax.validation.Valid;
 import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.NotNull;
-import java.util.List;
 
 public class TwilioConfiguration {
 
@@ -19,15 +19,18 @@ public class TwilioConfiguration {
   @NotEmpty
   private String accountToken;
 
-  @NotNull
-  private List<String> numbers;
-
   @NotEmpty
   private String localDomain;
 
+  @NotEmpty
   private String messagingServiceSid;
+
+  @NotEmpty
   private String nanpaMessagingServiceSid;
 
+  @NotEmpty
+  private String verifyServiceSid;
+
   @NotNull
   @Valid
   private CircuitBreakerConfiguration circuitBreaker = new CircuitBreakerConfiguration();
@@ -36,21 +39,17 @@ public class TwilioConfiguration {
   @Valid
   private RetryConfiguration retry = new RetryConfiguration();
 
-  @NotNull
   @Valid
-  private TwilioSenderIdConfiguration senderId = new TwilioSenderIdConfiguration();
+  private TwilioVerificationTextConfiguration defaultClientVerificationTexts;
+
+  @Valid
+  private Map<String,TwilioVerificationTextConfiguration> regionalClientVerificationTexts = Collections.emptyMap();
 
   @NotEmpty
-  private String iosVerificationText;
+  private String androidAppHash;
 
   @NotEmpty
-  private String androidNgVerificationText;
-
-  @NotEmpty
-  private String android202001VerificationText;
-
-  @NotEmpty
-  private String genericVerificationText;
+  private String verifyServiceFriendlyName;
 
   public String getAccountId() {
     return accountId;
@@ -69,16 +68,6 @@ public class TwilioConfiguration {
   public void setAccountToken(String accountToken) {
     this.accountToken = accountToken;
   }
-
-  public List<String> getNumbers() {
-    return numbers;
-  }
-
-  @VisibleForTesting
-  public void setNumbers(List<String> numbers) {
-    this.numbers = numbers;
-  }
-
   public String getLocalDomain() {
     return localDomain;
   }
@@ -106,6 +95,15 @@ public class TwilioConfiguration {
     this.nanpaMessagingServiceSid = nanpaMessagingServiceSid;
   }
 
+  public String getVerifyServiceSid() {
+    return verifyServiceSid;
+  }
+
+  @VisibleForTesting
+  public void setVerifyServiceSid(String verifyServiceSid) {
+    this.verifyServiceSid = verifyServiceSid;
+  }
+
   public CircuitBreakerConfiguration getCircuitBreaker() {
     return circuitBreaker;
   }
@@ -124,48 +122,38 @@ public class TwilioConfiguration {
     this.retry = retry;
   }
 
-  public TwilioSenderIdConfiguration getSenderId() {
-    return senderId;
+  public TwilioVerificationTextConfiguration getDefaultClientVerificationTexts() {
+    return defaultClientVerificationTexts;
   }
 
   @VisibleForTesting
-  public void setSenderId(TwilioSenderIdConfiguration senderId) {
-    this.senderId = senderId;
+  public void setDefaultClientVerificationTexts(TwilioVerificationTextConfiguration defaultClientVerificationTexts) {
+    this.defaultClientVerificationTexts = defaultClientVerificationTexts;
   }
 
-  public String getIosVerificationText() {
-    return iosVerificationText;
+
+  public Map<String,TwilioVerificationTextConfiguration> getRegionalClientVerificationTexts() {
+    return regionalClientVerificationTexts;
   }
 
   @VisibleForTesting
-  public void setIosVerificationText(String iosVerificationText) {
-    this.iosVerificationText = iosVerificationText;
+  public void setRegionalClientVerificationTexts(final Map<String,TwilioVerificationTextConfiguration> regionalClientVerificationTexts) {
+    this.regionalClientVerificationTexts = regionalClientVerificationTexts;
   }
 
-  public String getAndroidNgVerificationText() {
-    return androidNgVerificationText;
+  public String getAndroidAppHash() {
+    return androidAppHash;
   }
 
-  @VisibleForTesting
-  public void setAndroidNgVerificationText(String androidNgVerificationText) {
-    this.androidNgVerificationText = androidNgVerificationText;
+  public void setAndroidAppHash(String androidAppHash) {
+    this.androidAppHash = androidAppHash;
   }
 
-  public String getAndroid202001VerificationText() {
-    return android202001VerificationText;
+  public void setVerifyServiceFriendlyName(String serviceFriendlyName) {
+    this.verifyServiceFriendlyName = serviceFriendlyName;
   }
 
-  @VisibleForTesting
-  public void setAndroid202001VerificationText(String android202001VerificationText) {
-    this.android202001VerificationText = android202001VerificationText;
-  }
-
-  public String getGenericVerificationText() {
-    return genericVerificationText;
-  }
-
-  @VisibleForTesting
-  public void setGenericVerificationText(String genericVerificationText) {
-    this.genericVerificationText = genericVerificationText;
+  public String getVerifyServiceFriendlyName() {
+    return verifyServiceFriendlyName;
   }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/TwilioSenderIdConfiguration.java

@@ -1,56 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.configuration;
-
-import com.google.common.annotations.VisibleForTesting;
-
-import javax.validation.Valid;
-import javax.validation.constraints.NotEmpty;
-import javax.validation.constraints.NotNull;
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-public class TwilioSenderIdConfiguration {
-  @NotEmpty
-  private String defaultSenderId;
-
-  @NotNull
-  @Valid
-  private List<TwilioCountrySenderIdConfiguration> countrySpecificSenderIds = new ArrayList<>();
-
-  @NotNull
-  @Valid
-  private Set<String> countryCodesWithoutSenderId = new HashSet<>();
-
-  public String getDefaultSenderId() {
-    return defaultSenderId;
-  }
-
-  @VisibleForTesting
-  public void setDefaultSenderId(String defaultSenderId) {
-    this.defaultSenderId = defaultSenderId;
-  }
-
-  public List<TwilioCountrySenderIdConfiguration> getCountrySpecificSenderIds() {
-    return countrySpecificSenderIds;
-  }
-
-  @VisibleForTesting
-  public void setCountrySpecificSenderIds(List<TwilioCountrySenderIdConfiguration> countrySpecificSenderIds) {
-    this.countrySpecificSenderIds = countrySpecificSenderIds;
-  }
-
-  public Set<String> getCountryCodesWithoutSenderId() {
-    return countryCodesWithoutSenderId;
-  }
-
-  @VisibleForTesting
-  public void setCountryCodesWithoutSenderId(Set<String> countryCodesWithoutSenderId) {
-    this.countryCodesWithoutSenderId = countryCodesWithoutSenderId;
-  }
-}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/TwilioVerificationTextConfiguration.java

@@ -0,0 +1,70 @@
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.PropertyNamingStrategy;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
+
+import javax.validation.constraints.NotEmpty;
+
+public class TwilioVerificationTextConfiguration {
+
+  @JsonProperty
+  @NotEmpty
+  private String ios;
+
+  @JsonProperty
+  @NotEmpty
+  private String androidNg;
+
+  @JsonProperty
+  @NotEmpty
+  private String android202001;
+
+  @JsonProperty
+  @NotEmpty
+  private String android202103;
+
+  @JsonProperty
+  @NotEmpty
+  private String generic;
+
+  public String getIosText() {
+    return ios;
+  }
+
+  public void setIosText(String ios) {
+    this.ios = ios;
+  }
+
+  public String getAndroidNgText() {
+    return androidNg;
+  }
+
+  public void setAndroidNgText(final String androidNg) {
+    this.androidNg = androidNg;
+  }
+
+  public String getAndroid202001Text() {
+    return android202001;
+  }
+
+  public void setAndroid202001Text(final String android202001) {
+    this.android202001 = android202001;
+  }
+
+  public String getAndroid202103Text() {
+    return android202103;
+  }
+
+  public void setAndroid202103Text(final String android202103) {
+    this.android202103 = android202103;
+  }
+
+  public String getGenericText() {
+    return generic;
+  }
+
+  public void setGenericText(final String generic) {
+    this.generic = generic;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/URLDeserializationConverter.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.databind.util.StdConverter;
+import java.net.MalformedURLException;
+import java.net.URL;
+
+final class URLDeserializationConverter extends StdConverter<String, URL> {
+
+  @Override
+  public URL convert(final String value) {
+    try {
+      return new URL(value);
+    } catch (MalformedURLException e) {
+      throw new IllegalArgumentException(e);
+    }
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/URLSerializationConverter.java

@@ -0,0 +1,17 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import com.fasterxml.jackson.databind.util.StdConverter;
+import java.net.URL;
+
+final class URLSerializationConverter extends StdConverter<URL, String> {
+
+  @Override
+  public String convert(final URL value) {
+    return value.toString();
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/ZkConfig.java

@@ -26,10 +26,6 @@ public class ZkConfig {
   @NotNull
   private byte[] serverPublic;
 
-  @JsonProperty
-  @NotNull
-  private Boolean enabled;
-
   public byte[] getServerSecret() {
     return serverSecret;
   }
@@ -37,8 +33,4 @@ public class ZkConfig {
   public byte[] getServerPublic() {
     return serverPublic;
   }
-
-  public boolean isEnabled() {
-    return enabled;
-  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicConfiguration.java

@@ -1,12 +1,12 @@
 package org.whispersystems.textsecuregcm.configuration.dynamic;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-
-import javax.validation.Valid;
+import com.google.common.annotations.VisibleForTesting;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
+import javax.validation.Valid;
 
 public class DynamicConfiguration {
 
@@ -14,6 +14,10 @@ public class DynamicConfiguration {
   @Valid
   private Map<String, DynamicExperimentEnrollmentConfiguration> experiments = Collections.emptyMap();
 
+  @JsonProperty
+  @Valid
+  private Map<String, DynamicPreRegistrationExperimentEnrollmentConfiguration> preRegistrationExperiments = Collections.emptyMap();
+
   @JsonProperty
   @Valid
   private DynamicRateLimitsConfiguration limits = new DynamicRateLimitsConfiguration();
@@ -26,13 +30,41 @@ public class DynamicConfiguration {
   @Valid
   private DynamicMessageRateConfiguration messageRate = new DynamicMessageRateConfiguration();
 
+  @JsonProperty
+  @Valid
+  private DynamicPaymentsConfiguration payments = new DynamicPaymentsConfiguration();
+
   @JsonProperty
   private Set<String> featureFlags = Collections.emptySet();
 
-  public Optional<DynamicExperimentEnrollmentConfiguration> getExperimentEnrollmentConfiguration(final String experimentName) {
+  @JsonProperty
+  @Valid
+  private DynamicTwilioConfiguration twilio = new DynamicTwilioConfiguration();
+
+  @JsonProperty
+  private DynamicSignupCaptchaConfiguration signupCaptcha = new DynamicSignupCaptchaConfiguration();
+
+  @JsonProperty
+  @Valid
+  private DynamicRateLimitChallengeConfiguration rateLimitChallenge = new DynamicRateLimitChallengeConfiguration();
+
+  @JsonProperty
+  private DynamicDirectoryReconcilerConfiguration directoryReconciler = new DynamicDirectoryReconcilerConfiguration();
+
+  @JsonProperty
+  @Valid
+  private DynamicPushLatencyConfiguration pushLatency = new DynamicPushLatencyConfiguration(Collections.emptyMap());
+
+  public Optional<DynamicExperimentEnrollmentConfiguration> getExperimentEnrollmentConfiguration(
+      final String experimentName) {
     return Optional.ofNullable(experiments.get(experimentName));
   }
 
+  public Optional<DynamicPreRegistrationExperimentEnrollmentConfiguration> getPreRegistrationEnrollmentConfiguration(
+      final String experimentName) {
+    return Optional.ofNullable(preRegistrationExperiments.get(experimentName));
+  }
+
   public DynamicRateLimitsConfiguration getLimits() {
     return limits;
   }
@@ -45,7 +77,36 @@ public class DynamicConfiguration {
     return messageRate;
   }
 
+  public DynamicPaymentsConfiguration getPaymentsConfiguration() {
+    return payments;
+  }
+
   public Set<String> getActiveFeatureFlags() {
     return featureFlags;
   }
+
+  public DynamicTwilioConfiguration getTwilioConfiguration() {
+    return twilio;
+  }
+
+  @VisibleForTesting
+  public void setTwilioConfiguration(DynamicTwilioConfiguration twilioConfiguration) {
+    this.twilio = twilioConfiguration;
+  }
+
+  public DynamicSignupCaptchaConfiguration getSignupCaptchaConfiguration() {
+    return signupCaptcha;
+  }
+
+  public DynamicRateLimitChallengeConfiguration getRateLimitChallengeConfiguration() {
+    return rateLimitChallenge;
+  }
+
+  public DynamicDirectoryReconcilerConfiguration getDirectoryReconcilerConfiguration() {
+    return directoryReconciler;
+  }
+
+  public DynamicPushLatencyConfiguration getPushLatencyConfiguration() {
+    return pushLatency;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicDirectoryReconcilerConfiguration.java

@@ -0,0 +1,18 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration.dynamic;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class DynamicDirectoryReconcilerConfiguration {
+
+  @JsonProperty
+  private boolean enabled = true;
+
+  public boolean isEnabled() {
+    return enabled;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicExperimentEnrollmentConfiguration.java

@@ -11,7 +11,6 @@ import javax.validation.Valid;
 import javax.validation.constraints.Max;
 import javax.validation.constraints.Min;
 import java.util.Collections;
-import java.util.Map;
 import java.util.Set;
 import java.util.UUID;
 

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicPaymentsConfiguration.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration.dynamic;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.Collections;
+import java.util.List;
+
+public class DynamicPaymentsConfiguration {
+
+  @JsonProperty
+  private List<String> disallowedPrefixes = Collections.emptyList();
+
+  public List<String> getDisallowedPrefixes() {
+    return disallowedPrefixes;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicPreRegistrationExperimentEnrollmentConfiguration.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration.dynamic;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.Collections;
+import java.util.Set;
+import javax.validation.Valid;
+import javax.validation.constraints.Max;
+import javax.validation.constraints.Min;
+
+public class DynamicPreRegistrationExperimentEnrollmentConfiguration {
+
+  @JsonProperty
+  @Valid
+  private Set<String> enrolledE164s = Collections.emptySet();
+
+  @JsonProperty
+  @Valid
+  private Set<String> excludedE164s = Collections.emptySet();
+
+  @JsonProperty
+  @Valid
+  private Set<String> includedCountryCodes = Collections.emptySet();
+
+  @JsonProperty
+  @Valid
+  private Set<String> excludedCountryCodes = Collections.emptySet();
+
+  @JsonProperty
+  @Valid
+  @Min(0)
+  @Max(100)
+  private int enrollmentPercentage = 0;
+
+  public Set<String> getEnrolledE164s() {
+    return enrolledE164s;
+  }
+
+  public Set<String> getExcludedE164s() {
+    return excludedE164s;
+  }
+
+  public Set<String> getIncludedCountryCodes() {
+    return includedCountryCodes;
+  }
+
+  public Set<String> getExcludedCountryCodes() {
+    return excludedCountryCodes;
+  }
+
+  public int getEnrollmentPercentage() {
+    return enrollmentPercentage;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicPushLatencyConfiguration.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2013-2021 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration.dynamic;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.vdurmont.semver4j.Semver;
+import org.whispersystems.textsecuregcm.util.ua.ClientPlatform;
+import java.util.Map;
+import java.util.Set;
+
+public class DynamicPushLatencyConfiguration {
+
+  private final Map<ClientPlatform, Set<Semver>> instrumentedVersions;
+
+  @JsonCreator
+  public DynamicPushLatencyConfiguration(@JsonProperty("instrumentedVersions") final Map<ClientPlatform, Set<Semver>> instrumentedVersions) {
+    this.instrumentedVersions = instrumentedVersions;
+  }
+
+  public Map<ClientPlatform, Set<Semver>> getInstrumentedVersions() {
+    return instrumentedVersions;
+  }
+}