mod_http_oauth2: Clean cache less frequently Seems unlikely that enough unused and expired codes accumulate to warrant an hourly job.

mod_http_oauth2: Shorten default token validity periods With refresh tokens, short lifetime for access tokens is not a problem. The arbitrary choice of one hour seems reasonable. RFC 6749 has it as example value. One week for refresh tokens matching the default archive retention period. This means that a client that remains unused for one week will have to sign in again. An actively used client will continually push that forward with each used refresh token.

mod_http_oauth2: Implement refresh token rotation Makes refresh tokens one-time-use, handing out a new refresh token with each access token. Thus if a refresh token is stolen and used by an attacker, the next time the legitimate client tries to use the previous refresh token, it will not work and the attack will be noticed. If the attacker does not use the refresh token, it becomes invalid after the legitimate client uses it. This behavior is recommended by draft-ietf-oauth-security-topics

mod_http_oauth2: Hint at future deprecation of resource owner password grant It is strongly discouraged by all the modern OAuth 2.0 (and 2.1) documents.

mod_http_oauth2: Allow a shorter form of the device grant in config Long URI is long

mod_http_oauth2: Mention Device flow in list of flows in README

mod_muc_moderation: Stamp XEP-0421 occupant-id for the acting moderator Gives clients some hint about which moderator it was who did the deed. The @by attribute does have the nick of the actor, but they could change their nickname at some point, which is what occupant-id solves. Ref #1816

mod_muc_moderation: Copy XEP-0421 occupant-id from retracted message Lets clients correlate the sender of whatever was retracted by moderators. Behavior limited to Prosody 0.12, otherwise there are no assurances of the origin of the occupant-id tag. Ref #1816

mod_muc_block_pm: Advertise that Moderators are allowed to send PMs But there appears to be no way in XEP-0045 to advertise that Anyone can send PMs *to* Moderators.

mod_muc_block_pm: Allow private messages to yourself No harm in it. Beagle apparently uses it for XEP-0333 in public channels

mod_http_oauth2: Show errors on device flow user code entry page If the user enters the code incorrectly, having to click back to try again is no fun. Instead, show the error and the code entry form again.

mod_http_oauth2: Namespace the various codes to minimize confusion Both for the programmer and in OAuth flows. While unlikely, it should not be possible to cause weirdness e.g. by typing a client id and authorization code into the device code entry.

mod_default_bookmarks: Include 'autojoin' in examples The text does mention this, but who reads that?

mod_http_oauth2: Improve a description in schema

editorconfig: Document established conventions

mod_muc_limits: Drop unsupported Prosody versions from Compatibility table

mod_muc_limits: Set syntax of config snippets to enable syntax highlighting

mod_muc_limits: Reduce cost of multi-line messages, make configurable Typing a 5-line message preceded by a few chat states would have hit the default limit.

mod_client_management: Make ID column dynamically sized Its width can vary more than expected (because it can contain resources)

mod_client_management: Fix traceback if no last seen timestamp available

mod_http_oauth2: Add titles and descriptions to registration schema Since it is exposed publicly, it can serve as documentation.

mod_client_management: Fix missing equality check

mod_client_management: Allow revoking a specific client version Could be useful in case of a security issue affecting a particular version. Even if in that case, the more likely use case is revoking all older versions except the fixed one(s), this can be done with a loop or improved later.

mod_client_management: Add way to revoke (one) client by software This is a bit hacky but it works.

mod_client_management: Add shell command to revoke client access Could be used if an operator detects a compromised client.

mod_client_management: Include software version in table (when known) Showing software versions could be useful for statistical reasons, e.g. determining how quickly (or not) users upgrade, but most importantly for revoking vulnerable clients versions in case of a security issue.

mod_client_management: Include the client id in table in shell command Since this is the identifier used when revoking clients it is useful to show it.

mod_muc_block_pm: Update to 0.12+ API, use roles instead of affiliations The module was possibly broken with 0.12 before. This changes the behavior to allow only messages to or from moderators.

mod_http_muc_log: Fix redirect bug If you somehow went to /muc_log/room/yyyy-mm-dd/something it would send you in a redirect loop that continuously added path components until the path can't be parsed anymore. This should ensure that /muc_log/room/date/ is simply 404'd

mod_http_oauth2: Implement RFC 8628 Device Authorization Grant Meant for devices without easy access to a web browser, such as refrigerators and toasters, which definitely need to be running OAuth-enabled XMPP clients! Could be used for CLI tools that might have trouble running a http server needed for the authorization code flow.

mod_http_oauth2: Mention support for RFC 9207

mod_muc_members_json: Set imported hats to active by default

mod_muc_members_json: New module to import MUC membership from a JSON URL

mod_rest: Use logger of HTTP request in trunk In Prosody trunk rev c975dafa4303 each HTTP request gained its own log sink, to make it easy to log things related to each request and group those messages. Especially where async is used, spreading the request and response apart as mod_rest does with iq stanzas, this grouped logging should help find related messages.

mod_measure_lua: Add brief README

mod_groups_oidc: Add dependency on mod_groups_internal Doesn't make much sense without it, no?

Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)

mod_http_muc_log: Hide joins and parts by default Now both ?p=s(how) and ?p=h(ide) are understood and propagated trough links, with unset being being hide.

mod_http_oauth2: Only add nonce when issuing a client_secret Not as important that the client_id be unique if there's no client_secret since the point was to make each issued client_secret distinct.

mod_pubsub_feeds: Specify acceptable formats in Accept header Don't need to a condition on the etag, if it's nil it's left out.

mod_pubsub_feeds: Pass feed data as argument instead of storing on object Feeds can be quite large, why were we keeping them after parsing???

mod_pubsub_feeds: Retrieve only the most recent item to compare Only need one item id. Fetching all items probably caused memory usage peaks.

mod_pubsub_feeds: Handle node already existing Don't need to create it if it exists

mod_pubsub_feeds: Remove comment, this text is in the README

mod_pubsub_feeds: Remove broken attempt to generate an ID from content This seems to never have worked correctly and now the timestamp is out of scope anyway.

mod_pubsub_feeds: Fix mixup between feed object and parsed feed Did the HMAC thing ever work?

mod_pubsub_feeds: Create pubsub nodes on module load instead of later Should produce faster feedback of things being wrong.

mod_pubsub_feeds: Track latest timestamp seen in feeds instead of last poll This should ensure that an entry that has a publish timestmap after the previously oldest post, but before the time of the last poll check, is published to the node. Previously if an entry would be skipped if it was published at 13:00 with a timestamp of 12:30, where the last poll was at 12:45. For feeds that lack a timestamp, it now looks for the first post that is not published, assuming that the feed is in reverse chronological order, then iterates back up from there.

mod_pubsub_feeds: Add new interval setting in seconds (old still works) To match most other such settings.

mod_pubsub_feeds: Disable WebSub (formerly PubSubHubbub) by default I have seen no recent evidence of this being used or supported by anything anywhere anymore.

mod_http_oauth2: Always show list of requested scopes Upon further reflection, these are probably too important to hide behind a <details> thing.

mod_muc_limits: Add a limit on number of bytes in a message body

mod_muc_limits: Add a limit on number of lines per message More vertical space -> more cost

mod_muc_limits: Normalise README markdown syntax (thanks pandoc)

mod_muc_limits: Raise cost for multi-line messages

Back out 22784f001b7f: Documentation change did not match code (thanks bronko)

mod_http_oauth2: Rearrange description of redirect URIs requirements So that they're in one place only instead of sorta twice.

mod_http_oauth2: Add a more complete client registration example More fields from RFC 7591. We should probably mention and recommend more of them, especially the ones that are recorded in grants.

mod_http_oauth2: Strip JWKS metadata since we do not understand that Maybe one day whatever this is will be understood, but not this day!

mod_http_oauth2: Strip unknown client metadata Per RFC 7591 > The authorization server MUST ignore any client metadata sent by the > client that it does not understand (for instance, by silently removing > unknown metadata from the client's registration record during > processing). This was previously done but unintentionally removed in 90449babaa48

mod_rest: Map the archive-id attribute in MAM result items I was wondering why this wasn't in the JSON output

mod_rest: Include full_jid property on origin Fixes permission check in disco#info query to your own account, where the 'to' would have been stripped since it equals the account JID, leaving mod_disco passing nil, which triggers an error in module:may()

mod_oidc_userinfo_vcard4: Remove unused import

mod_oidc_userinfo_vcard4: Fix typo

mod_http_oauth2: Make allowed locales configurable Explicit > Implicit Instead of allowing anything after #, allow only the explicitly configured locales to be used. Default to empty list because using these is not supported yet. This potentially limits the size of the client_id, which is already quite large. Nothing prevents clients from registering a whole client_id per locale, which would not require translation support on this side.

mod_http_oauth2: Improve error messages for URI properties Since there are separate validation checks for URI properties, including that they should use https, with better and more specific error reporting. Reverts 'luaPattern' to 'pattern' which is not currently supported by util.jsonschema, but allows anything that retrieves the schema over http to validate against it, should they wish to do so.

mod_rest: Describe the error 'by' property in OpenAPI spec

mod_rest: List all error conditions in OpenAPI spec These are not handled by datamanager but by util.stanza and util.error, so they are not represented in the JSON schema file.

mod_http_oauth2: Make note about handling repeated RFC 6749 states > If an authorization code is used more than once, the authorization > server MUST deny the request and SHOULD revoke (when possible) all > tokens previously issued based on that authorization code. We should follow the SHOULD. The MUST is already covered by removing the code state from the cache.

mod_http_oauth2: Add TODO about disabling password grant Per recommendation in draft-ietf-oauth-security-topics-23 it should at the very least be disabled by default. However since this is used by the Snikket web portal some care needs to be taken not to break this, unless it's already broken by other changes to this module.

mod_http_oauth2: Disable CORS for authorization endpoint Per recommendation in draft-ietf-oauth-security-topics-23 Hopefully it is enough to return an error status, since mod_http will add CORS headers from a handler with higher priority, even for OPTIONS.

mod_http_oauth2: Make CSP configurable E.g. to enable forbidding all scripts if you don't use any scripts, or allow scripts from your separate static content domain, etc.

mod_http_oauth2: Link to RFC 7628 in README Links are good.

mod_http_oauth2: Use code spans for some config options in README To make them more recognisable as code things.

mod_http_oauth2: Remove underscore prefix LuaCheck considers this to mean that a variable it unused, but this one is not.

mod_cloud_notify_extensions: Fix Markdown syntax of Compatibility table

mod_firewall: Add console commands to mark/unmark users

mod_firewall: Load marks from storage on demand rather than at login This ensures people who don't use marks, or use them infrequently, don't pay a perf cost on every resource bind.

mod_firewall: Log warning when attempting to mark/unmark remote users

mod_firewall: enable marks by default

mod_firewall: Improve error when mark name contains invalid characters

mod_firewall: marks: Fix marking a user with no previous marks

mod_firewall: Update user marks to store instantly via map store The original approach was to keep marks in memory only, and persist them at shutdown. That saves I/O, at the cost of potentially losing marks on an unclean shutdown. This change persists marks instantly, which may have some performance overhead but should be more "correct". It also splits the marking/unmarking into an event which may be watched or even fired by other modules.

mod_firewall: Split some long lines [luacheck]

mod_firewall: Fix inverted logic of 'FROM FULL JID?'

mod_firewall: spam-blocking.pfw: Remove requirement for invites to have no body Some clients (e.g. Gajim) send a body, which I guess makes sense. The bare JID sender check should already make it hard to bypass this (i.e. a normal client putting muc#user into a normal chat message shouldn't bypass the usual message filters).

mod_firewall: scripts: spam-blocklists: Check sender and inviter of MUC invitations against blocklist

mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites

mod_firewall: Add 'FROM FULL JID?' condition

mod_firewall: README: Add some emphasis on the exact behaviour of TO FULL JID

mod_rest: Merge some common properties between openapi and schema

mod_rest: Apply normalization to openapi spec Using https://github.com/mikefarah/yq v4.34.1 --prettyPrint

mod_http_oauth2: Simplify template using if-falsy operator Relies on Prosody rev af1e3b7d9ea3 which added the {var~if-falsy}, released in 0.12. Since this module requires trunk this is fine.

mod_http_dir_listing2: Fix wrong name for resource directory

mod_http_dir_listing2: Include html resources with plugin installer

mod_http_dir_listing: Strip path to using plugin installer

mod_firewall: Include scripts with plugin installer (thanks gooya)

mod_http_oauth2: Add some words about supported flows and defaults

mod_http_oauth2/README: Expand summary to include OAuth 2.0 role This module implements the Authorization Server parts of OAuth 2.0, so having the summary say that seems sensible.

mod_http_oauth2: Return Authentication Time per OpenID Core Section 2 Mandatory To Implement, either MUST include or OPTIONAL depending on things we don't look at, so might as well include it all the time. Since we do not persist authentication state with cookies or such, the authentication time will always be some point between the user being sent to the authorization endpoint and the time they are sent back to the client application.

mod_http_oauth2: Validate the OpenID 'prompt' parameter Without support for affecting the login and consent procedure, it seems sensible to inform the client that they can't change anything with this parameter.

mod_http_oauth2: Apply text color to OOB input field Was using the browser default color

mod_client_management: Include client software version number in listing Should you ever wish to revoke a client by version number, e.g. for security reasons affecting certain versions, then it would be good to at the very least see which version is used. Also includes the OAuth2 software ID, an optional unique identifier that should be the same for all installations of a particular software.

mod_http_oauth2: Present OOB code in an input field for easier selection Should also avoid stray whitespace making it into the selection.

mod_http_oauth2: Revert strict form check to allow consent of multiple scopes Untested commit breaks everything, news at 11

mod_http_oauth2: Reject duplicate form-urlencoded parameters Per RFC 6749 section 3.1 > Request and response parameters MUST NOT be included more than once. Thanks to OAuch for pointing out Also cleans up some of the icky behavior of formdecode(), like returning a string if no '=' is included.

mod_http_oauth2: Bind refresh tokens to client Prevent one OAuth client from using the refresh tokens issued to another client as required by RFC 6819 section 5.2.2.2 See also draft-ietf-oauth-security-topics-22 section 2.2.2 Thanks to OAuch for pointing out this issue

mod_http_oauth2: Record hash of client_id to allow future verification RFC 6819 section 5.2.2.2 states that refresh tokens MUST be bound to the client. In order to do that, we must record something that can definitely tie the client to the grant. Since the full client_id is so large (why we have this client_subset function), a hash is stored instead.

mod_http_oauth2: Add client verification wrapper function Fixes the weird ok, data return format from util.jit, but the real reason is to add some preparation steps here.

mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 These are mostly for the various Client-facing endpoints, so the chance of browsers being involved is slightly lower than with the User-facing authorization endpoint, which already sent the Cache-Control header. Thanks to OAuch for pointing out.

mod_http_oauth2: Linkify mod_client_management in README

mod_http_oauth2: Fix messed up section about redirect_uris requirements

mod_http_oauth2: Restructure description of client metadata requirements Previously quite a compact block of text, maybe this is easier to read.

mod_http_oauth2: Correct loopback URL example The s in the scheme should not be there, only unencrypted http to loopback interface is allowed.

mod_groups_oidc: Expose groups to OAuth clients

mod_oidc_userinfo_vcard4: Advertise OpenID scopes via new mechanism

mod_http_oauth2: Add provisions for dynamically adding simple scopes This lets additional modules define what scopes they might add to the userinfo endpoint, or other things.

mod_http_oauth2: Sort imports Piped through `sort -k5` thus sorting by module name. Sort order makes it easy to know where to insert new imports.

mod_http_oauth2: Fix closing h1 tag

mod_auth_oauth_external: Correct docs about default scope Yet another failure of auto-complete?