Kim Alvefur <zash@zash.se> [Fri, 05 May 2023 00:57:20 +0200] rev 5421
mod_http_oauth2: Refactor scope handling into smaller functions
Goal is to put a dropdown on the consent page with your allowed roles.
Smaller functions make it easier to reuse. Readability may be improved
slightly as well.
Kim Alvefur <zash@zash.se> [Thu, 04 May 2023 18:41:33 +0200] rev 5420
mod_http_oauth2: Add option for specifying TTL of registered clients
Meant to simplify configuration, since TTL vs ignoring expiration is
expected to be the main thing one would want to configure.
Unsure what the implications of having unlimited lifetime of clients
are, given no way to revoke them currently, short of rotating the
signing secret.
On one hand, it would be annoying to have the client expire.
On the other hand, it is trivial to re-register it.
Kim Alvefur <zash@zash.se> [Wed, 03 May 2023 10:55:22 +0200] rev 5419
mod_strict_https: Add way to disable redirect
Since Prosody 0.12+ does not listen on unencrypted http anymore, this is
likely to cause trouble. Especially since the URL construction is
problematic and awkward.
Kim Alvefur <zash@zash.se> [Wed, 03 May 2023 10:54:15 +0200] rev 5418
mod_strict_https: Refresh README
Kim Alvefur <zash@zash.se> [Wed, 03 May 2023 10:34:00 +0200] rev 5417
mod_prometheus: Wrap pointer to mod_http_openmetrics in a box
Kim Alvefur <zash@zash.se> [Wed, 03 May 2023 10:29:46 +0200] rev 5416
mod_listusers: Obsolete, suggest prosodyctl shell instead
Kim Alvefur <zash@zash.se> [Wed, 03 May 2023 10:16:15 +0200] rev 5415
mod_strict_https: Update to use modern APIs instead of monkey patching
Updates one of the least recently updated modules :)
Mapping HTTP Host to Prosody host remains awkward.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 19:06:17 +0200] rev 5414
mod_http_oauth2: Link to RFC 7009: OAuth 2.0 Token Revocation
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 17:04:19 +0200] rev 5413
mod_http_oauth2: Add service documentation URL to metadata
This is aimed to those building integrations, so the modules site seems
appropriate. Configurable so that a deployment can point to their own
OAuth documentation.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 17:01:02 +0200] rev 5412
mod_http_oauth2: Allow configuring links to policy and terms in metadata
These are for the Authorization Server, here the same as the XMPP
server.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:39:32 +0200] rev 5411
mod_http_oauth2: Don't issue client_secret when not using authentication
This is pretty much only for implicit flow, which is considered insecure
anyway, so this is of limited value. If we delete all the implicit flow
code, this could be reverted.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:34:31 +0200] rev 5410
mod_http_oauth2: Validate consistency of response and grant types
Ensure that these correlated fields make sense per RFC 7591 § 2.1, even
though we currently only check the response type during authorization.
This could probably all be deleted if (when!) we remove the implicit
grant, since then these things don't make any sense anymore.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:31:25 +0200] rev 5409
mod_http_oauth2: Enforce response type encoded in client_id
The client promises to only use this response type, so we should hold
them to that.
This makes it fail earlier if the response type is disabled or the
client is trying to use one that it promised not to use. Better than
failing after login and consent.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:23:40 +0200] rev 5408
mod_http_oauth2: Strip unknown extra fields from client registration
We shouldn't sign things we don't understand!
RFC 7591 section-2 states:
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
Prevents grandfathering in of unvalidated data that might become used
later, especially since the 'additionalProperties' schema keyword was
removed in 698fef74ce53
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:23:05 +0200] rev 5407
mod_http_oauth2: Simplify validation of various URIs
Why: diffstat
How: Reuse of the redirect_uri_allowed() function
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:22:17 +0200] rev 5406
mod_http_oauth2: More appropriate error conditions in client validation
Specified in RFC7591 for these kinds of issues.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:20:55 +0200] rev 5405
mod_http_oauth2: Reject loopback URIs as client_uri
This really should be a proper website with info, https://localhost is
not good enough. Ideally we'd validate that it's got proper DNS and is
actually reachable, but triggering HTTP or even DNS lookups seems like
it would carry abuse potential that would best to avoid.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:14:22 +0200] rev 5404
mod_http_oauth2: Reduce line count of metadata construction
More compact and readable than long if-then chains
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:08:35 +0200] rev 5403
mod_http_oauth2: Advertise response modes
Are you supposed to be able to influence these somewhere, or is this
just response types with different labels?
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 16:07:09 +0200] rev 5402
mod_http_oauth2: Advertise supported grant types
Seems redundant, since it's just the response types with other labels.
Kim Alvefur <zash@zash.se> [Tue, 02 May 2023 15:41:36 +0200] rev 5401
mod_http_oauth2: Advertise revocation endpoint in metadata
How were you supposed to know this was supported otherwise?
It support Basic auth and ... none?
Kim Alvefur <zash@zash.se> [Sun, 30 Apr 2023 17:04:55 +0200] rev 5400
mod_http_oauth2: Return status 405 for GET to endpoints without GET handler
Endpoints that only do POST have the weird side effect that a GET query
to them return 404, which doesn't quite feel like the right semantics.
Kim Alvefur <zash@zash.se> [Sun, 30 Apr 2023 20:34:36 +0200] rev 5399
mod_inotify_reload: Update to use FD watching method
This removes the need to present a fake socket interface, simplifying
everything.
Kim Alvefur <zash@zash.se> [Sun, 30 Apr 2023 17:16:47 +0200] rev 5398
mod_http_oauth2: Allow loopback IP literals in redirect URIs
Previously only exactly "http://localhost" was allowed, but RFC 8252
seems to recommend both ::1 and 127.0.0.1 be allowed.
Kim Alvefur <zash@zash.se> [Sun, 30 Apr 2023 16:58:53 +0200] rev 5397
mod_http_oauth2: Add way to retrieve registration schema
Mostly for convenience and to fill the void otherwise and drive the
awkward fallback to 404 away.
Kim Alvefur <zash@zash.se> [Sun, 30 Apr 2023 16:42:04 +0200] rev 5396
mod_http_oauth2: Fix missing base64 part of base64url (Thanks KeyCloak)
Obligatory bugs in untested code.
Kim Alvefur <zash@zash.se> [Sun, 30 Apr 2023 16:41:30 +0200] rev 5395
mod_http_oauth2: Fix accidental uppercase in invocation of hash function
Thanks auto-complete!
Kim Alvefur <zash@zash.se> [Sun, 30 Apr 2023 16:13:40 +0200] rev 5394
mod_http_oauth2: Advertise the currently supported id_token signing algorithm
This field is REQUIRED. The algorithm RS256 MUST be included, but isn't
because we don't implement it, as that would require implementing a pile
of additional cryptography and JWT stuff. Instead the id_token is
signed using the client secret, which allows verification by the client,
since it's a shared secret per OpenID Connect Core 1.0 § 10.1 under
Symmetric Signatures.
OpenID Connect Discovery 1.0 has a lot of REQUIRED and MUST clauses that
are not supported here, but that's okay because this is served from the
RFC 8414 OAuth 2.0 Authorization Server Metadata .well-known endpoint!
Kim Alvefur <zash@zash.se> [Sun, 30 Apr 2023 15:20:05 +0200] rev 5393
mod_http_oauth2: Specify that 'contacts' items are emails in client registration
Not enforced, but good for documentation.
> Array of strings representing ways to contact people responsible for
> this client, typically email addresses.
"typically" isn't a great word in a specification, so one could persume
this may be e.g. URLs like https://example.com/contact-us or so as well.
Kim Alvefur <zash@zash.se> [Sat, 29 Apr 2023 15:47:03 +0200] rev 5392
Back out 6f13200c9fc1: Confused request URI with redirect URI
redirect_uris is already marked as required in RFC7591
Kim Alvefur <zash@zash.se> [Sat, 29 Apr 2023 14:06:51 +0200] rev 5391
mod_rest/rest.sh: Implement RFC 7636 PKCE with the 'plain' method
The S256 code challenge method left as a future exercise.
Kim Alvefur <zash@zash.se> [Sat, 29 Apr 2023 13:26:33 +0200] rev 5390
mod_http_oauth2: Advertise required registration of redirect URIs
Specified in OpenID Connect Discovery 1.0
Seems important to be aware of when registering a client.
Kim Alvefur <zash@zash.se> [Sat, 29 Apr 2023 13:23:30 +0200] rev 5389
mod_http_oauth2: Advertise supported token endpoint auth methods
Kim Alvefur <zash@zash.se> [Sat, 29 Apr 2023 13:09:49 +0200] rev 5388
mod_http_oauth2: Allow configuring PKCE challenge methods
You'd pretty much only want this to disable the 'plain' method, since it
doesn't seem to add that much security?
Kim Alvefur <zash@zash.se> [Sat, 29 Apr 2023 13:09:46 +0200] rev 5387
mod_http_oauth2: Implement RFC 7628 Proof Key for Code Exchange
Likely to become mandatory in OAuth 2.1.
Backwards compatible since the default 'plain' verifier would compare
nil with nil if the relevant parameters are left out.
Kim Alvefur <zash@zash.se> [Sat, 29 Apr 2023 11:26:04 +0200] rev 5386
mod_http_oauth2: Reorder routes into order they happen in OAuth 2.0
Since I usually start here to remember the order of things, might as
well turn it into a mini step by step guide :)
Matthew Wild <mwild1@gmail.com> [Fri, 28 Apr 2023 13:27:06 +0100] rev 5385
mod_firewall: Initialize compiled chunk just once for all handlers
This should fix a case where some stateful dependencies (such as throttles)
produce separate instances for every call to new_handler(), leading to
surprising behaviour (e.g. rules executed via JUMP CHAIN vs ::deliver would
have separate rate limits).
This also adds better error handling in case the compiled code fails to run
for some reason.
Kim Alvefur <zash@zash.se> [Thu, 27 Apr 2023 20:56:24 +0200] rev 5384
mod_rest/rest.sh: Set software_id in client registration to something
Mostly just for exercising the extra fields.
Kim Alvefur <zash@zash.se> [Thu, 27 Apr 2023 20:52:55 +0200] rev 5383
mod_rest/rest.sh: Include .sh suffix in client registration
Slight improvement in how the text in mod_http_oauth2 templates reads.
Kim Alvefur <zash@zash.se> [Thu, 27 Apr 2023 19:16:14 +0200] rev 5382
mod_http_oauth2: Record OAuth software id and version attached to tokens
Unsure if these are used anywhere, but `software_id` is supposedly more
unique than `client_uri` which can vary by registration or something?
Software versions can also be good to know e.g. in case there is a
security issue affecting certain versions that could warrant revocation
of tokens issued to it.
Kim Alvefur <zash@zash.se> [Thu, 27 Apr 2023 19:14:23 +0200] rev 5381
mod_http_oauth2: Fix misplaced 'default' on wrong side of } in client registration schema
Matthew Wild <mwild1@gmail.com> [Thu, 27 Apr 2023 16:58:48 +0100] rev 5380
mod_remote_roster: Set id on generated iq stanzas (thanks @agwa)
Fixes 'iq stanzas require an id attribute' error from util.stanza.
Kim Alvefur <zash@zash.se> [Wed, 26 Apr 2023 23:41:49 +0200] rev 5379
mod_http_oauth2: Fix to include "openid" scope in discovery metadata
The "openid" scope was left out of openid_claims since it is treated
differently from the other scopes.
Kim Alvefur <zash@zash.se> [Wed, 26 Apr 2023 12:42:09 +0200] rev 5378
mod_client_management: Show time for recent timestamps in shell command
Semi-fuzzy time is nice
Kim Alvefur <zash@zash.se> [Wed, 26 Apr 2023 12:12:34 +0200] rev 5377
mod_client_management: Fix changed column cell "key"
Forgot to change in b2d51c6ae89a
Kim Alvefur <zash@zash.se> [Wed, 26 Apr 2023 12:09:17 +0200] rev 5376
mod_client_management: Fix error when called against host without this module
Previously:
prosody> user:clients("user@example.org")
| Result: 1
Kim Alvefur <zash@zash.se> [Wed, 26 Apr 2023 11:55:55 +0200] rev 5375
mod_client_management: Move table cell formatting into column specification
It's only more lines because of lua-format!
Kim Alvefur <zash@zash.se> [Tue, 25 Apr 2023 22:12:02 +0200] rev 5374
mod_client_management: Fix type confusion
client_selector : string, not some sort of table?
Kim Alvefur <zash@zash.se> [Tue, 25 Apr 2023 22:06:08 +0200] rev 5373
mod_client_management: Fix error when last password change is unknown (or never)
Fixes attempt to compare nil with number here, due to
last_password_change being nil
Kim Alvefur <zash@zash.se> [Tue, 25 Apr 2023 19:50:27 +0200] rev 5372
mod_rest/rest.sh: Register as native application
Otherwise the custom nonstandard URI would be rejected per the last
commit to mod_http_oauth2
Kim Alvefur <zash@zash.se> [Tue, 25 Apr 2023 19:49:41 +0200] rev 5371
mod_http_oauth2: Validate redirect URI depending on application type
Per https://openid.net/specs/openid-connect-registration-1_0.html
require that web applications use https:// and native applications must
use either http://localhost or a custom (non-https) URI.
Previous requirement that hostname matches that of client_uri is kept
for web applications.
Kim Alvefur <zash@zash.se> [Tue, 25 Apr 2023 18:09:08 +0200] rev 5370
mod_http_oauth2: Fill in some client metadata defaults
Explicit > Implicit
Maybe we should actually use these for something as well? :)
It's is somewhat an open question of how strictly we should enforce
things in the client metadata given that it is somewhat extensible.
Especially some of these enum fields which have corresponding IANA
registries.
Kim Alvefur <zash@zash.se> [Tue, 25 Apr 2023 17:38:36 +0200] rev 5369
mod_http_oauth2: Allow only l10n variants of name in client metadata
Since "client_name" seems to be the only human readable non-URI property
that makes sense to have localized version of. Therefore it seems
excessive to allow arbitrary additionalProperties.
We don't make use of localized versions of client_name and URIs yet, but
it would be nice to do so.
Kim Alvefur <zash@zash.se> [Tue, 25 Apr 2023 17:16:12 +0200] rev 5368
mod_http_oauth2: Normalize whitespace in client metadata schema
Random extra whitespace?
Matthew Wild <mwild1@gmail.com> [Mon, 24 Apr 2023 17:11:08 +0100] rev 5367
mod_log_ringbuffer: Fix description and examples of level configuration
Matthew Wild <mwild1@gmail.com> [Mon, 24 Apr 2023 17:00:05 +0100] rev 5366
mod_log_ringbuffer: Fix example config
Kim Alvefur <zash@zash.se> [Sun, 23 Apr 2023 14:18:25 +0200] rev 5365
mod_oidc_userinfo_vcard4: Fix phone number claim
Copy-paste mistake probably
Kim Alvefur <zash@zash.se> [Sun, 23 Apr 2023 13:37:58 +0200] rev 5364
mod_oidc_userinfo_vcard4: Unpack <vcard> from PubSub <item>
Forgot about the <item>, so it was previously attempting to extract all
properties from that instead of the inner <vcard>
Kim Alvefur <zash@zash.se> [Sat, 22 Apr 2023 16:29:56 +0200] rev 5363
mod_http_oauth2: Use new Lua pattern schema properties
Kim Alvefur <zash@zash.se> [Sat, 22 Apr 2023 14:22:56 +0200] rev 5362
mod_http_oauth2: Include additional OpenID scopes in metadata
Drops fallback because this module probably doesn't work with Prosody
before the role stuff anyway.
Kim Alvefur <zash@zash.se> [Sat, 22 Apr 2023 14:02:56 +0200] rev 5361
mod_http_oauth2: Validate (unused at this point) localized URIs
Client registration may include keys of the form "some_uri#lang-code"
pointing to alternate language versions of the various URIs. We don't
use this yet but the same validation should apply.
Kim Alvefur <zash@zash.se> [Sat, 22 Apr 2023 14:06:41 +0200] rev 5360
mod_http_oauth2: Declare https as required of URIs in schema
If util.jsonschema happens to gain support for 'pattern' (regular
expression validation) then this would be picked up. Until then,
declarative annotations are nice.
Kim Alvefur <zash@zash.se> [Sat, 22 Apr 2023 12:02:01 +0200] rev 5359
mod_http_oauth2: Enforce https requirement on TOS URI
In create_client() it validates that all fields with format=uri are
https and match the client_uri host.
Kim Alvefur <zash@zash.se> [Sat, 22 Apr 2023 11:59:52 +0200] rev 5358
mod_http_oauth2: Use new mod_cron API for periodic cleanup
Less frequent but this isn't that important after all since, as the
comment states, expired codes are not usable anyway. They're also not
that large so memory usage probably doesn't matter.
Kim Alvefur <zash@zash.se> [Tue, 18 Apr 2023 21:48:31 +0200] rev 5357
mod_audit_status: Fix error on first start
Fixes 'attempt to index a nil value' the first time this module is
loaded, since there's no data yet.
Matthew Wild <mwild1@gmail.com> [Mon, 17 Apr 2023 14:31:50 +0100] rev 5356
mod_muc_rtbl: Use correct occupant object
There is no 'occupant' property for this event.
Kim Alvefur <zash@zash.se> [Mon, 17 Apr 2023 08:26:20 +0200] rev 5355
mod_audit: Move underscore to avoid luacheck warning
Underscore as prefix is taken as a signal that the variable is unused,
but then it is used and luacheck makes noise about that.
Kim Alvefur <zash@zash.se> [Mon, 17 Apr 2023 08:01:09 +0200] rev 5354
mod_oidc_userinfo_vcard4: Provide profile details in mod_http_oauth2
Kim Alvefur <zash@zash.se> [Sat, 15 Apr 2023 10:54:34 +0200] rev 5353
mod_auth_oauth_external: Add configuration example
Kim Alvefur <zash@zash.se> [Sat, 15 Apr 2023 10:46:04 +0200] rev 5352
mod_auth_oauth_external: Linkify password grant
Kim Alvefur <zash@zash.se> [Sat, 15 Apr 2023 10:41:47 +0200] rev 5351
mod_auth_oauth_external: Some notes in README
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 13:04:13 +0100] rev 5350
mod_auth_oauth_external: Allow setting identity instead of discovery URL
Shorter and the .well-known part is, well, well-known.
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 12:45:52 +0100] rev 5349
mod_auth_oauth_external: Support PLAIN via resource owner password grant
Might not be supported by the backend but PLAIN is the lowest common
denominator, so not having it would lock out a lot of clients.
Kim Alvefur <zash@zash.se> [Thu, 16 Mar 2023 12:45:22 +0100] rev 5348
mod_auth_oauth_external: Authenticate against an OAuth 2 provider
But suddenly unsure whether this constitutes an OAuth "client" or
something else? Resource server maybe?
Kim Alvefur <zash@zash.se> [Thu, 13 Apr 2023 09:11:28 +0200] rev 5347
mod_client_management: Fix import of util.error (not errors)
Kim Alvefur <zash@zash.se> [Wed, 12 Apr 2023 11:24:50 +0200] rev 5346
mod_rest: Implement use of refresh tokens in rest.sh example
Because having access tokens expire daily was becoming annoying.
Now this is starting to be in dire need of refactoring.
Kim Alvefur <zash@zash.se> [Wed, 12 Apr 2023 11:24:06 +0200] rev 5345
mod_http_oauth2: Fix error due to reference loop when using refresh token
Kim Alvefur <zash@zash.se> [Wed, 12 Apr 2023 11:22:36 +0200] rev 5344
mod_http_oauth2: Fix table index error when using refresh token
Maxime “pep” Buquet <pep@bouah.net> [Tue, 11 Apr 2023 15:59:35 +0200] rev 5343
mod_muc_http_defaults: Use the new set_subject API. Thanks John Livingston
Kim Alvefur <zash@zash.se> [Mon, 10 Apr 2023 13:24:03 +0200] rev 5342
mod_service_outage_status: XEP-0455: Service Outage Status
Only the out of band part so far.
The in-band pubsub part would need '+notify' support in mod_pubsub,
since mod_pep does not serve the bare-host-JID.
All the hard parts of this XEP is elsewhere, i.e. hosting the document
somewhere reliable.
Kim Alvefur <zash@zash.se> [Mon, 10 Apr 2023 10:49:02 +0200] rev 5341
mod_http_oauth2: Support OpenID UserInfo claims
Actually filling in those details is left to another module because I
don't really wanna mix in a dependency on PEP or mod_vcard here, those
implementation details can be in a second module. Some might want to
fill this from LDAP or something as well.
Kim Alvefur <zash@zash.se> [Mon, 10 Apr 2023 10:47:51 +0200] rev 5340
mod_http_oauth2: Add some debug logging for UserInfo endpoint
Kim Alvefur <zash@zash.se> [Mon, 10 Apr 2023 10:44:23 +0200] rev 5339
mod_http_oauth2: Correct error code when missing credentials for userinfo
Kim Alvefur <zash@zash.se> [Sat, 08 Apr 2023 19:51:24 +0200] rev 5338
mod_rest: Get correct type from config
Autocomplete?
Kim Alvefur <zash@zash.se> [Fri, 07 Apr 2023 21:10:14 +0200] rev 5337
mod_http_debug: Module that echos back HTTP request info for debugging
Written in 2021 for debugging some reverse proxy issue on https://chat.prosody.im/
Kim Alvefur <zash@zash.se> [Fri, 07 Apr 2023 20:26:33 +0200] rev 5336
mod_rest: Allow passing configuring a timeout for <iq> responses
The default 2 minutes is not how long you want to wait, sometimes.
Matthew Wild <mwild1@gmail.com> [Fri, 07 Apr 2023 15:21:54 +0100] rev 5335
mod_audit: Add expiration of entries, and handling of full archive stores
Kim Alvefur <zash@zash.se> [Fri, 07 Apr 2023 15:27:03 +0200] rev 5334
mod_rest/rest.sh: Update 'client_uri' to module page
This started as a convenience wrapper for httpie + mod_rest that
eventually grew OAuth support.
Kim Alvefur <zash@zash.se> [Fri, 07 Apr 2023 15:26:41 +0200] rev 5333
mod_rest/rest.sh: List dependencies in comment
Kim Alvefur <zash@zash.se> [Fri, 07 Apr 2023 15:21:33 +0200] rev 5332
mod_http_oauth2/README: Add rest.sh to known implementations
Matthew Wild <mwild1@gmail.com> [Fri, 07 Apr 2023 13:46:29 +0100] rev 5331
mod_audit: Add 'note' column
Matthew Wild <mwild1@gmail.com> [Fri, 07 Apr 2023 13:44:18 +0100] rev 5330
mod_audit: Improve filtering options and add documentation to README
Matthew Wild <mwild1@gmail.com> [Fri, 07 Apr 2023 13:25:34 +0100] rev 5329
mod_audit: Add some control over output columns via command-line flags
Matthew Wild <mwild1@gmail.com> [Fri, 07 Apr 2023 13:10:43 +0100] rev 5328
mod_audit_status: Include shutdown reason in log entry
Matthew Wild <mwild1@gmail.com> [Fri, 07 Apr 2023 13:10:20 +0100] rev 5327
mod_audit: Let util.human.io pick a suitable default width
It supports better width detection now.
Matthew Wild <mwild1@gmail.com> [Fri, 07 Apr 2023 13:09:51 +0100] rev 5326
mod_audit: Use proportional columns in table output
Matthew Wild <mwild1@gmail.com> [Fri, 07 Apr 2023 13:09:31 +0100] rev 5325
mod_audit: Fix iteration of custom payloads to use ipairs
Matthew Wild <mwild1@gmail.com> [Fri, 07 Apr 2023 12:09:21 +0100] rev 5324
mod_audit_status: New module to log server status to audit log
Matthew Wild <mwild1@gmail.com> [Fri, 07 Apr 2023 12:03:29 +0100] rev 5323
mod_audit: Display most recent entries first, rather than showing oldest
This matches the output of 'lastb'.
Matthew Wild <mwild1@gmail.com> [Fri, 07 Apr 2023 12:00:31 +0100] rev 5322
mod_audit: Minor style nit
Matthew Wild <mwild1@gmail.com> [Fri, 07 Apr 2023 12:00:06 +0100] rev 5321
mod_audit: Allow caller to specify time of the event
Kim Alvefur <zash@zash.se> [Fri, 07 Apr 2023 11:38:46 +0200] rev 5320
mod_http_oauth2/README: Link to mod_rest
Kim Alvefur <zash@zash.se> [Fri, 07 Apr 2023 11:37:58 +0200] rev 5319
mod_http_oauth2/README: Link to OAuth and OIDC sites
Matthew Wild <mwild1@gmail.com> [Thu, 06 Apr 2023 19:31:29 +0100] rev 5318
mod_client_management: README: Update docs to detail shell and XMPP interfaces
Matthew Wild <mwild1@gmail.com> [Thu, 06 Apr 2023 17:24:16 +0100] rev 5317
mod_http_oauth2: README: Updated documentation to reflect module status
Matthew Wild <mwild1@gmail.com> [Thu, 06 Apr 2023 16:10:27 +0100] rev 5316
mod_client_management: Add list-clients + manage-clients permissions to users
Matthew Wild <mwild1@gmail.com> [Thu, 06 Apr 2023 16:09:56 +0100] rev 5315
mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com> [Thu, 06 Apr 2023 15:24:49 +0100] rev 5314
mod_client_management: Improve representation of authentication methods
Matthew Wild <mwild1@gmail.com> [Thu, 06 Apr 2023 15:22:10 +0100] rev 5313
mod_client_management: Improve table output
Requires 1f89a2a9f532 and 1023c3faffac from Prosody.
Matthew Wild <mwild1@gmail.com> [Thu, 06 Apr 2023 15:21:09 +0100] rev 5312
mod_client_management: Fix user:clients() shell command to take a JID
Matthew Wild <mwild1@gmail.com> [Thu, 06 Apr 2023 15:20:25 +0100] rev 5311
mod_client_management: Use grant id from key
This is a minor tweak - it's faster and preserves compatibility with older
data formats (that we don't necessarily want to be compatible with, but some
of us have messy data stores and it pays to be a little more robust).
Matthew Wild <mwild1@gmail.com> [Wed, 05 Apr 2023 19:45:13 +0100] rev 5310
mod_client_management: Fail to revoke clients that have used passwords
Return an error so the caller can take appropriate action, e.g. encouraging
the user to change their password.
Matthew Wild <mwild1@gmail.com> [Wed, 05 Apr 2023 19:42:16 +0100] rev 5309
mod_client_management: Add support for revocation of clients (when possible)
We decided to keep the unified listing of "clients", which includes both SASL2
clients and OAuth grants, etc. To a user, or someone wanting to manage what
can access their account, they are largely equivalent.
To accomplish this technically, we add a prefix to the id to state what type
it really is.
Matthew Wild <mwild1@gmail.com> [Wed, 05 Apr 2023 19:39:53 +0100] rev 5308
mod_client_management: Include client type in XML response listing
Matthew Wild <mwild1@gmail.com> [Wed, 05 Apr 2023 19:38:59 +0100] rev 5307
mod_sasl2_fast: Add API method to revoke FAST tokens for a given client
Matthew Wild <mwild1@gmail.com> [Tue, 04 Apr 2023 18:09:48 +0100] rev 5306
mod_cloud_notify_filters: Fix traceback when invalid JIDs are submitted
Matthew Wild <mwild1@gmail.com> [Sat, 01 Apr 2023 13:56:53 +0100] rev 5305
mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com> [Sat, 01 Apr 2023 13:56:15 +0100] rev 5304
.luacheckrc: Add module.once
Matthew Wild <mwild1@gmail.com> [Sat, 01 Apr 2023 13:22:12 +0100] rev 5303
mod_audit: Add a command to print the audit log on the command-line
Matthew Wild <mwild1@gmail.com> [Sat, 01 Apr 2023 13:11:53 +0100] rev 5302
mod_audit: Support for adding location (GeoIP) to audit events
This can be more privacy-friendly than logging full IP addresses, and also
more informative to a user - IP addresses don't mean much to the average
person, however if they see activity from outside their expected country, they
can immediately identify suspicious activity.
As with IPs, this field is configurable for deployments that would like to
disable it. Location is also not logged when the geoip library is not
available.