Sun, 23 Jul 2023 02:56:08 +0200 mod_http_oauth2: Implement refresh token rotation
Kim Alvefur <zash@zash.se> [Sun, 23 Jul 2023 02:56:08 +0200] rev 5620
mod_http_oauth2: Implement refresh token rotation Makes refresh tokens one-time-use, handing out a new refresh token with each access token. Thus if a refresh token is stolen and used by an attacker, the next time the legitimate client tries to use the previous refresh token, it will not work and the attack will be noticed. If the attacker does not use the refresh token, it becomes invalid after the legitimate client uses it. This behavior is recommended by draft-ietf-oauth-security-topics
Fri, 21 Jul 2023 00:38:04 +0200 mod_http_oauth2: Hint at future deprecation of resource owner password grant
Kim Alvefur <zash@zash.se> [Fri, 21 Jul 2023 00:38:04 +0200] rev 5619
mod_http_oauth2: Hint at future deprecation of resource owner password grant It is strongly discouraged by all the modern OAuth 2.0 (and 2.1) documents.
Fri, 21 Jul 2023 00:37:34 +0200 mod_http_oauth2: Allow a shorter form of the device grant in config
Kim Alvefur <zash@zash.se> [Fri, 21 Jul 2023 00:37:34 +0200] rev 5618
mod_http_oauth2: Allow a shorter form of the device grant in config Long URI is long
Fri, 21 Jul 2023 00:29:24 +0200 mod_http_oauth2: Mention Device flow in list of flows in README
Kim Alvefur <zash@zash.se> [Fri, 21 Jul 2023 00:29:24 +0200] rev 5617
mod_http_oauth2: Mention Device flow in list of flows in README
Thu, 20 Jul 2023 10:38:33 +0200 mod_muc_moderation: Stamp XEP-0421 occupant-id for the acting moderator
Kim Alvefur <zash@zash.se> [Thu, 20 Jul 2023 10:38:33 +0200] rev 5616
mod_muc_moderation: Stamp XEP-0421 occupant-id for the acting moderator Gives clients some hint about which moderator it was who did the deed. The @by attribute does have the nick of the actor, but they could change their nickname at some point, which is what occupant-id solves. Ref #1816
Thu, 20 Jul 2023 10:37:27 +0200 mod_muc_moderation: Copy XEP-0421 occupant-id from retracted message
Kim Alvefur <zash@zash.se> [Thu, 20 Jul 2023 10:37:27 +0200] rev 5615
mod_muc_moderation: Copy XEP-0421 occupant-id from retracted message Lets clients correlate the sender of whatever was retracted by moderators. Behavior limited to Prosody 0.12, otherwise there are no assurances of the origin of the occupant-id tag. Ref #1816
Wed, 19 Jul 2023 17:01:40 +0200 mod_muc_block_pm: Advertise that Moderators are allowed to send PMs
Kim Alvefur <zash@zash.se> [Wed, 19 Jul 2023 17:01:40 +0200] rev 5614
mod_muc_block_pm: Advertise that Moderators are allowed to send PMs But there appears to be no way in XEP-0045 to advertise that Anyone can send PMs *to* Moderators.
Wed, 19 Jul 2023 16:59:16 +0200 mod_muc_block_pm: Allow private messages to yourself
Kim Alvefur <zash@zash.se> [Wed, 19 Jul 2023 16:59:16 +0200] rev 5613
mod_muc_block_pm: Allow private messages to yourself No harm in it. Beagle apparently uses it for XEP-0333 in public channels
Wed, 19 Jul 2023 13:05:47 +0200 mod_http_oauth2: Show errors on device flow user code entry page
Kim Alvefur <zash@zash.se> [Wed, 19 Jul 2023 13:05:47 +0200] rev 5612
mod_http_oauth2: Show errors on device flow user code entry page If the user enters the code incorrectly, having to click back to try again is no fun. Instead, show the error and the code entry form again.
Wed, 19 Jul 2023 12:58:04 +0200 mod_http_oauth2: Namespace the various codes to minimize confusion
Kim Alvefur <zash@zash.se> [Wed, 19 Jul 2023 12:58:04 +0200] rev 5611
mod_http_oauth2: Namespace the various codes to minimize confusion Both for the programmer and in OAuth flows. While unlikely, it should not be possible to cause weirdness e.g. by typing a client id and authorization code into the device code entry.
(0) -3000 -1000 -300 -100 -10 +10 +100 +300 tip