mod_strict_https: Refresh README

mod_prometheus: Wrap pointer to mod_http_openmetrics in a box

mod_listusers: Obsolete, suggest prosodyctl shell instead

mod_strict_https: Update to use modern APIs instead of monkey patching Updates one of the least recently updated modules :) Mapping HTTP Host to Prosody host remains awkward.

mod_http_oauth2: Link to RFC 7009: OAuth 2.0 Token Revocation

mod_http_oauth2: Add service documentation URL to metadata This is aimed to those building integrations, so the modules site seems appropriate. Configurable so that a deployment can point to their own OAuth documentation.

mod_http_oauth2: Allow configuring links to policy and terms in metadata These are for the Authorization Server, here the same as the XMPP server.

mod_http_oauth2: Don't issue client_secret when not using authentication This is pretty much only for implicit flow, which is considered insecure anyway, so this is of limited value. If we delete all the implicit flow code, this could be reverted.

mod_http_oauth2: Validate consistency of response and grant types Ensure that these correlated fields make sense per RFC 7591 § 2.1, even though we currently only check the response type during authorization. This could probably all be deleted if (when!) we remove the implicit grant, since then these things don't make any sense anymore.

mod_http_oauth2: Enforce response type encoded in client_id The client promises to only use this response type, so we should hold them to that. This makes it fail earlier if the response type is disabled or the client is trying to use one that it promised not to use. Better than failing after login and consent.