Mercurial Mercurial > prosody > prosody-modules / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_pubsub_post/README.markdown
changeset 3507 882180b459a0
parent 3506 42e9e3c5eb02
child 3509 106b4ae4469b 
--- a/mod_pubsub_post/README.markdown	Sat Mar 30 19:24:18 2019 +0100
+++ b/mod_pubsub_post/README.markdown	Sat Mar 30 21:16:13 2019 +0100
@@ -17,56 +17,60 @@
 
 # Configuration
 
-## Authentication
-
-Authentication can be handled in two different ways.
-
-### None
-
-``` {.lua}
-pubsub_post_actor = "superuser"
-```
-
-The module uses an internal actor that has all privileges and can always
-do everything. It is strongly suggested that you do not expose this to
-the Internet. *Maybe* it shouldn't be the default...
+All settings are optional.
 
-### IP
-
-``` {.lua}
-pubsub_post_actor = "request.ip"
-```
+## Actor identification
 
-Uses the IP address from the HTTP request as actor, which means this
-pseudo-JID must be given a 'publisher' affiliation. This should work
-nicely with the `autocreate_on_publish` setting, where the first actor
-to attempt to publish to a nonexistent node becomes owner of it, which
-includes publishing rights.
-
-## WebSub
+First we have to figure out who is making the request.
+This is configured on a per-node basis like this:
 
 ``` {.lua}
 -- Per node secrets
-pubsub_post_secrets = {
-    my_node = "shared secret"
+pubsub_post_actors = {
+    princely_musings = "hamlet@denmark.lit"
 }
-
--- Same secret for all nodes
-pubsub_post_secret = "shared secret"
+pubsub_post_default_actor = "nobody@nowhere.invalid"
 ```
 
-This enables the
+`pubsub_post_default_actor` is used when trying to publish to a node
+that is not listed in `pubsub_post_actors`. Otherwise the IP address
+of the connection is used.
+
+## Authentication
+
 [WebSub](https://www.w3.org/TR/2018/REC-websub-20180123/) [Authenticated
 Content
 Distribution](https://www.w3.org/TR/2018/REC-websub-20180123/#authenticated-content-distribution)
-authentication method, where payloads are signed using a shared secret.
+authentication is used.
+
+``` {.lua}
+pubsub_post_secrets = {
+    princely_musings = "shared secret"
+}
+pubsub_post_default_secret = "default secret"
+```
 
-## Setting up affiliations
+`pubsub_post_default_secret` is used when trying to publish to a node
+that is not listed in `pubsub_post_secrets`. Otherwise the request
+proceeds with the previously identified actor.
+
+::: {.alert .alert-danger}
+If configured without a secret and a default actor that has permission
+to create nodes the service becomes wide open.
+:::
+
+## Authorization
+
+Authorization is handled via pubsub affiliations. Publishing requires an
+affiliation with the _publish_ capability, usually `"publisher"`.
+
+### Setting up affiliations
 
 Prosodys PubSub module supports [setting affiliations via
 XMPP](https://xmpp.org/extensions/xep-0060.html#owner-affiliations), in
 trunk since [revision
-384ef9732b81](https://hg.prosody.im/trunk/rev/384ef9732b81).
+384ef9732b81](https://hg.prosody.im/trunk/rev/384ef9732b81), so
+affiliations can be configured with a capable client.
 
 It can however be done from another plugin:
prosody-modules