Kim Alvefur <zash@zash.se> [Wed, 03 May 2023 10:54:15 +0200] rev 5418
mod_strict_https: Refresh README
Kim Alvefur <zash@zash.se> [Wed, 03 May 2023 10:34:00 +0200] rev 5417
mod_prometheus: Wrap pointer to mod_http_openmetrics in a box
Kim Alvefur <zash@zash.se> [Wed, 03 May 2023 10:29:46 +0200] rev 5416
mod_listusers: Obsolete, suggest prosodyctl shell instead
Kim Alvefur <zash@zash.se> [Wed, 03 May 2023 10:16:15 +0200] rev 5415
mod_strict_https: Update to use modern APIs instead of monkey patching
Updates one of the least recently updated modules :)
Mapping HTTP Host to Prosody host remains awkward.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 19:06:17 +0200] rev 5414
mod_http_oauth2: Link to RFC 7009: OAuth 2.0 Token Revocation
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 17:04:19 +0200] rev 5413
mod_http_oauth2: Add service documentation URL to metadata
This is aimed to those building integrations, so the modules site seems
appropriate. Configurable so that a deployment can point to their own
OAuth documentation.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 17:01:02 +0200] rev 5412
mod_http_oauth2: Allow configuring links to policy and terms in metadata
These are for the Authorization Server, here the same as the XMPP
server.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:39:32 +0200] rev 5411
mod_http_oauth2: Don't issue client_secret when not using authentication
This is pretty much only for implicit flow, which is considered insecure
anyway, so this is of limited value. If we delete all the implicit flow
code, this could be reverted.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:34:31 +0200] rev 5410
mod_http_oauth2: Validate consistency of response and grant types
Ensure that these correlated fields make sense per RFC 7591 ยง 2.1, even
though we currently only check the response type during authorization.
This could probably all be deleted if (when!) we remove the implicit
grant, since then these things don't make any sense anymore.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:31:25 +0200] rev 5409
mod_http_oauth2: Enforce response type encoded in client_id
The client promises to only use this response type, so we should hold
them to that.
This makes it fail earlier if the response type is disabled or the
client is trying to use one that it promised not to use. Better than
failing after login and consent.