Kim Alvefur <zash@zash.se> [Sun, 05 Nov 2023 21:06:23 +0100] rev 5695
mod_storage_appendmap: Include timestamps when appending data
Meant to give some sense of when each piece of data was added, to aid in
debugging changes or manual rollbacks.
Kim Alvefur <zash@zash.se> [Sun, 05 Nov 2023 21:03:30 +0100] rev 5694
mod_storage_appendmap: Implement item/user iteration methods
Kim Alvefur <zash@zash.se> [Sun, 05 Nov 2023 19:22:46 +0100] rev 5693
mod_http_health: Copypaste IP access control code
Kim Alvefur <zash@zash.se> [Fri, 03 Nov 2023 23:26:57 +0100] rev 5692
mod_dnsupdate: Support advertising explicit non-existence of service
Matthew Wild <mwild1@gmail.com> [Thu, 02 Nov 2023 17:00:53 +0000] rev 5691
mod_http_admin_api: Support for adding/removing group MUCs
Matthew Wild <mwild1@gmail.com> [Thu, 02 Nov 2023 17:00:14 +0000] rev 5690
mod_groups_muc_bookmarks: Update bookmarks when a group MUC is added/removed
Matthew Wild <mwild1@gmail.com> [Thu, 02 Nov 2023 16:59:44 +0000] rev 5689
mod_groups_internal: Update to support multiple MUCs per group
This was a feature request for Snikket.
Matthew Wild <mwild1@gmail.com> [Mon, 30 Oct 2023 12:28:12 +0000] rev 5688
mod_storage_ejabberdsql_readonly: Don't use MySQL-specific syntax
util.sql should take care of transformation when MySQL is in use.
Kim Alvefur <zash@zash.se> [Sun, 29 Oct 2023 12:41:56 +0100] rev 5687
mod_client_management: Bail out retrieving tokens for user
Fixes core/usermanager.lua:118: attempt to index a nil value (field '?')
Kim Alvefur <zash@zash.se> [Sun, 29 Oct 2023 11:30:49 +0100] rev 5686
mod_http_oauth2: Limit revocation to clients own tokens in strict mode
RFC 7009 section 2.1 states:
> The authorization server first validates the client credentials (in
> case of a confidential client) and then verifies whether the token was
> issued to the client making the revocation request. If this
> validation fails, the request is refused and the client is informed of
> the error by the authorization server as described below.
The first part was already covered (in strict mode). This adds the later
part using the hash of client_id recorded in 0860497152af
It still seems weird to me that revoking a leaked token should not be
allowed whoever might have discovered it, as that seems the responsible
thing to do.