Kim Alvefur <zash@zash.se> [Wed, 12 Jul 2023 15:47:20 +0200] rev 5595
mod_muc_block_pm: Update to 0.12+ API, use roles instead of affiliations
The module was possibly broken with 0.12 before.
This changes the behavior to allow only messages to or from moderators.
Kim Alvefur <zash@zash.se> [Mon, 10 Jul 2023 16:10:57 +0200] rev 5594
mod_http_muc_log: Fix redirect bug
If you somehow went to /muc_log/room/yyyy-mm-dd/something it would send
you in a redirect loop that continuously added path components until the
path can't be parsed anymore.
This should ensure that /muc_log/room/date/ is simply 404'd
Kim Alvefur <zash@zash.se> [Mon, 10 Jul 2023 07:16:54 +0200] rev 5593
mod_http_oauth2: Implement RFC 8628 Device Authorization Grant
Meant for devices without easy access to a web browser, such as
refrigerators and toasters, which definitely need to be running
OAuth-enabled XMPP clients!
Could be used for CLI tools that might have trouble running a http
server needed for the authorization code flow.
Kim Alvefur <zash@zash.se> [Fri, 07 Jul 2023 19:45:48 +0200] rev 5592
mod_http_oauth2: Mention support for RFC 9207
Matthew Wild <mwild1@gmail.com> [Fri, 07 Jul 2023 02:02:09 +0100] rev 5591
mod_muc_members_json: Set imported hats to active by default
Matthew Wild <mwild1@gmail.com> [Fri, 07 Jul 2023 01:25:44 +0100] rev 5590
mod_muc_members_json: New module to import MUC membership from a JSON URL
Kim Alvefur <zash@zash.se> [Fri, 07 Jul 2023 00:10:37 +0200] rev 5589
mod_rest: Use logger of HTTP request in trunk
In Prosody trunk rev c975dafa4303 each HTTP request gained its own log
sink, to make it easy to log things related to each request and group
those messages. Especially where async is used, spreading the request
and response apart as mod_rest does with iq stanzas, this grouped
logging should help find related messages.
Kim Alvefur <zash@zash.se> [Fri, 30 Jun 2023 23:58:03 +0200] rev 5588
mod_measure_lua: Add brief README
Kim Alvefur <zash@zash.se> [Fri, 30 Jun 2023 23:57:37 +0200] rev 5587
mod_groups_oidc: Add dependency on mod_groups_internal
Doesn't make much sense without it, no?
Matthew Wild <mwild1@gmail.com> [Thu, 29 Jun 2023 15:58:33 +0100] rev 5586
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Kim Alvefur <zash@zash.se> [Wed, 28 Jun 2023 21:47:22 +0200] rev 5585
mod_http_muc_log: Hide joins and parts by default
Now both ?p=s(how) and ?p=h(ide) are understood and propagated trough
links, with unset being being hide.
Kim Alvefur <zash@zash.se> [Mon, 26 Jun 2023 00:19:05 +0200] rev 5584
mod_http_oauth2: Only add nonce when issuing a client_secret
Not as important that the client_id be unique if there's no
client_secret since the point was to make each issued client_secret
distinct.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 23:53:15 +0200] rev 5583
mod_pubsub_feeds: Specify acceptable formats in Accept header
Don't need to a condition on the etag, if it's nil it's left out.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 20:15:44 +0200] rev 5582
mod_pubsub_feeds: Pass feed data as argument instead of storing on object
Feeds can be quite large, why were we keeping them after parsing???
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 19:58:45 +0200] rev 5581
mod_pubsub_feeds: Retrieve only the most recent item to compare
Only need one item id.
Fetching all items probably caused memory usage peaks.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 19:52:24 +0200] rev 5580
mod_pubsub_feeds: Handle node already existing
Don't need to create it if it exists
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:48:21 +0200] rev 5579
mod_pubsub_feeds: Remove comment, this text is in the README
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:45:25 +0200] rev 5578
mod_pubsub_feeds: Remove broken attempt to generate an ID from content
This seems to never have worked correctly and now the timestamp is out
of scope anyway.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:42:57 +0200] rev 5577
mod_pubsub_feeds: Fix mixup between feed object and parsed feed
Did the HMAC thing ever work?
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:41:50 +0200] rev 5576
mod_pubsub_feeds: Create pubsub nodes on module load instead of later
Should produce faster feedback of things being wrong.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:27:55 +0200] rev 5575
mod_pubsub_feeds: Track latest timestamp seen in feeds instead of last poll
This should ensure that an entry that has a publish timestmap after the
previously oldest post, but before the time of the last poll check, is
published to the node.
Previously if an entry would be skipped if it was published at 13:00
with a timestamp of 12:30, where the last poll was at 12:45.
For feeds that lack a timestamp, it now looks for the first post that is
not published, assuming that the feed is in reverse chronological order,
then iterates back up from there.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:24:12 +0200] rev 5574
mod_pubsub_feeds: Add new interval setting in seconds (old still works)
To match most other such settings.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:20:57 +0200] rev 5573
mod_pubsub_feeds: Disable WebSub (formerly PubSubHubbub) by default
I have seen no recent evidence of this being used or supported by
anything anywhere anymore.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 11:12:07 +0200] rev 5572
mod_http_oauth2: Always show list of requested scopes
Upon further reflection, these are probably too important to hide behind
a <details> thing.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 00:00:02 +0200] rev 5571
mod_muc_limits: Add a limit on number of bytes in a message body
Kim Alvefur <zash@zash.se> [Sat, 24 Jun 2023 23:56:13 +0200] rev 5570
mod_muc_limits: Add a limit on number of lines per message
More vertical space -> more cost
Kim Alvefur <zash@zash.se> [Sat, 24 Jun 2023 23:53:48 +0200] rev 5569
mod_muc_limits: Normalise README markdown syntax (thanks pandoc)
Kim Alvefur <zash@zash.se> [Sat, 24 Jun 2023 23:51:31 +0200] rev 5568
mod_muc_limits: Raise cost for multi-line messages
Kim Alvefur <zash@zash.se> [Thu, 22 Jun 2023 22:00:51 +0200] rev 5567
Back out 22784f001b7f: Documentation change did not match code (thanks bronko)
Kim Alvefur <zash@zash.se> [Thu, 22 Jun 2023 21:59:49 +0200] rev 5566
mod_http_oauth2: Rearrange description of redirect URIs requirements
So that they're in one place only instead of sorta twice.
Kim Alvefur <zash@zash.se> [Thu, 22 Jun 2023 09:18:32 +0200] rev 5565
mod_http_oauth2: Add a more complete client registration example
More fields from RFC 7591. We should probably mention and recommend more
of them, especially the ones that are recorded in grants.
Kim Alvefur <zash@zash.se> [Tue, 20 Jun 2023 01:13:51 +0200] rev 5564
mod_http_oauth2: Strip JWKS metadata since we do not understand that
Maybe one day whatever this is will be understood, but not this day!
Kim Alvefur <zash@zash.se> [Tue, 20 Jun 2023 01:11:34 +0200] rev 5563
mod_http_oauth2: Strip unknown client metadata
Per RFC 7591
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
This was previously done but unintentionally removed in 90449babaa48
Kim Alvefur <zash@zash.se> [Mon, 19 Jun 2023 01:26:56 +0200] rev 5562
mod_rest: Map the archive-id attribute in MAM result items
I was wondering why this wasn't in the JSON output
Kim Alvefur <zash@zash.se> [Sun, 18 Jun 2023 22:23:24 +0200] rev 5561
mod_rest: Include full_jid property on origin
Fixes permission check in disco#info query to your own account, where
the 'to' would have been stripped since it equals the account JID,
leaving mod_disco passing nil, which triggers an error in module:may()
Kim Alvefur <zash@zash.se> [Sun, 18 Jun 2023 15:28:23 +0200] rev 5560
mod_oidc_userinfo_vcard4: Remove unused import
Kim Alvefur <zash@zash.se> [Sun, 18 Jun 2023 15:28:13 +0200] rev 5559
mod_oidc_userinfo_vcard4: Fix typo
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 19:03:32 +0200] rev 5558
mod_http_oauth2: Make allowed locales configurable
Explicit > Implicit
Instead of allowing anything after #, allow only the explicitly
configured locales to be used.
Default to empty list because using these is not supported yet.
This potentially limits the size of the client_id, which is already
quite large. Nothing prevents clients from registering a whole
client_id per locale, which would not require translation support on
this side.
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 18:15:00 +0200] rev 5557
mod_http_oauth2: Improve error messages for URI properties
Since there are separate validation checks for URI properties, including
that they should use https, with better and more specific error reporting.
Reverts 'luaPattern' to 'pattern' which is not currently supported by
util.jsonschema, but allows anything that retrieves the schema over http
to validate against it, should they wish to do so.
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 16:28:13 +0200] rev 5556
mod_rest: Describe the error 'by' property in OpenAPI spec
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 16:26:33 +0200] rev 5555
mod_rest: List all error conditions in OpenAPI spec
These are not handled by datamanager but by util.stanza and util.error,
so they are not represented in the JSON schema file.
Kim Alvefur <zash@zash.se> [Fri, 16 Jun 2023 00:10:46 +0200] rev 5554
mod_http_oauth2: Make note about handling repeated
RFC 6749 states
> If an authorization code is used more than once, the authorization
> server MUST deny the request and SHOULD revoke (when possible) all
> tokens previously issued based on that authorization code.
We should follow the SHOULD.
The MUST is already covered by removing the code state from the cache.
Kim Alvefur <zash@zash.se> [Fri, 16 Jun 2023 00:06:53 +0200] rev 5553
mod_http_oauth2: Add TODO about disabling password grant
Per recommendation in draft-ietf-oauth-security-topics-23 it should at
the very least be disabled by default.
However since this is used by the Snikket web portal some care needs to
be taken not to break this, unless it's already broken by other changes
to this module.
Kim Alvefur <zash@zash.se> [Fri, 16 Jun 2023 00:05:57 +0200] rev 5552
mod_http_oauth2: Disable CORS for authorization endpoint
Per recommendation in draft-ietf-oauth-security-topics-23
Hopefully it is enough to return an error status, since mod_http will
add CORS headers from a handler with higher priority, even for OPTIONS.
Kim Alvefur <zash@zash.se> [Sun, 11 Jun 2023 14:06:28 +0200] rev 5551
mod_http_oauth2: Make CSP configurable
E.g. to enable forbidding all scripts if you don't use any scripts, or
allow scripts from your separate static content domain, etc.
Kim Alvefur <zash@zash.se> [Sun, 11 Jun 2023 14:03:27 +0200] rev 5550
mod_http_oauth2: Link to RFC 7628 in README
Links are good.
Kim Alvefur <zash@zash.se> [Sun, 11 Jun 2023 14:02:47 +0200] rev 5549
mod_http_oauth2: Use code spans for some config options in README
To make them more recognisable as code things.
Kim Alvefur <zash@zash.se> [Sat, 10 Jun 2023 12:04:00 +0200] rev 5548
mod_http_oauth2: Remove underscore prefix
LuaCheck considers this to mean that a variable it unused, but this one
is not.
Kim Alvefur <zash@zash.se> [Fri, 09 Jun 2023 18:07:15 +0200] rev 5547
mod_cloud_notify_extensions: Fix Markdown syntax of Compatibility table
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 19:47:35 +0100] rev 5546
mod_firewall: Add console commands to mark/unmark users
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 19:19:46 +0100] rev 5545
mod_firewall: Load marks from storage on demand rather than at login
This ensures people who don't use marks, or use them infrequently, don't pay
a perf cost on every resource bind.
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 19:15:12 +0100] rev 5544
mod_firewall: Log warning when attempting to mark/unmark remote users
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 17:00:04 +0100] rev 5543
mod_firewall: enable marks by default
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 16:59:22 +0100] rev 5542
mod_firewall: Improve error when mark name contains invalid characters
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 16:53:12 +0100] rev 5541
mod_firewall: marks: Fix marking a user with no previous marks
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 16:20:42 +0100] rev 5540
mod_firewall: Update user marks to store instantly via map store
The original approach was to keep marks in memory only, and persist them at
shutdown. That saves I/O, at the cost of potentially losing marks on an
unclean shutdown.
This change persists marks instantly, which may have some performance overhead
but should be more "correct".
It also splits the marking/unmarking into an event which may be watched or
even fired by other modules.
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 16:17:25 +0100] rev 5539
mod_firewall: Split some long lines [luacheck]
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 13:04:19 +0100] rev 5538
mod_firewall: Fix inverted logic of 'FROM FULL JID?'
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 12:20:34 +0100] rev 5537
mod_firewall: spam-blocking.pfw: Remove requirement for invites to have no body
Some clients (e.g. Gajim) send a body, which I guess makes sense.
The bare JID sender check should already make it hard to bypass this (i.e.
a normal client putting muc#user into a normal chat message shouldn't bypass
the usual message filters).
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 11:30:39 +0100] rev 5536
mod_firewall: scripts: spam-blocklists: Check sender and inviter of MUC invitations against blocklist
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 11:28:56 +0100] rev 5535
mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 11:28:06 +0100] rev 5534
mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 11:25:40 +0100] rev 5533
mod_firewall: README: Add some emphasis on the exact behaviour of TO FULL JID
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 15:59:34 +0200] rev 5532
mod_rest: Merge some common properties between openapi and schema
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 15:52:02 +0200] rev 5531
mod_rest: Apply normalization to openapi spec
Using https://github.com/mikefarah/yq v4.34.1 --prettyPrint
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:54:52 +0200] rev 5530
mod_http_oauth2: Simplify template using if-falsy operator
Relies on Prosody rev af1e3b7d9ea3 which added the {var~if-falsy},
released in 0.12. Since this module requires trunk this is fine.
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:31:52 +0200] rev 5529
mod_http_dir_listing2: Fix wrong name for resource directory
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:27:13 +0200] rev 5528
mod_http_dir_listing2: Include html resources with plugin installer
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:26:27 +0200] rev 5527
mod_http_dir_listing: Strip path to using plugin installer
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:23:31 +0200] rev 5526
mod_firewall: Include scripts with plugin installer (thanks gooya)
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 01:51:23 +0200] rev 5525
mod_http_oauth2: Add some words about supported flows and defaults
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 01:43:35 +0200] rev 5524
mod_http_oauth2/README: Expand summary to include OAuth 2.0 role
This module implements the Authorization Server parts of OAuth 2.0, so
having the summary say that seems sensible.
Kim Alvefur <zash@zash.se> [Mon, 05 Jun 2023 22:32:44 +0200] rev 5523
mod_http_oauth2: Return Authentication Time per OpenID Core Section 2
Mandatory To Implement, either MUST include or OPTIONAL depending on
things we don't look at, so might as well include it all the time.
Since we do not persist authentication state with cookies or such, the
authentication time will always be some point between the user being
sent to the authorization endpoint and the time they are sent back to
the client application.
Kim Alvefur <zash@zash.se> [Mon, 05 Jun 2023 22:19:17 +0200] rev 5522
mod_http_oauth2: Validate the OpenID 'prompt' parameter
Without support for affecting the login and consent procedure, it seems
sensible to inform the client that they can't change anything with this
parameter.
Kim Alvefur <zash@zash.se> [Sat, 03 Jun 2023 20:04:40 +0200] rev 5521
mod_http_oauth2: Apply text color to OOB input field
Was using the browser default color
Kim Alvefur <zash@zash.se> [Sat, 03 Jun 2023 19:21:39 +0200] rev 5520
mod_client_management: Include client software version number in listing
Should you ever wish to revoke a client by version number, e.g. for
security reasons affecting certain versions, then it would be good to at
the very least see which version is used.
Also includes the OAuth2 software ID, an optional unique identifier that
should be the same for all installations of a particular software.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 11:28:04 +0200] rev 5519
mod_http_oauth2: Present OOB code in an input field for easier selection
Should also avoid stray whitespace making it into the selection.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 11:20:08 +0200] rev 5518
mod_http_oauth2: Revert strict form check to allow consent of multiple scopes
Untested commit breaks everything, news at 11
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 11:03:57 +0200] rev 5517
mod_http_oauth2: Reject duplicate form-urlencoded parameters
Per RFC 6749 section 3.1
> Request and response parameters MUST NOT be included more than once.
Thanks to OAuch for pointing out
Also cleans up some of the icky behavior of formdecode(), like returning
a string if no '=' is included.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 10:40:48 +0200] rev 5516
mod_http_oauth2: Bind refresh tokens to client
Prevent one OAuth client from using the refresh tokens issued to another
client as required by RFC 6819 section 5.2.2.2
See also draft-ietf-oauth-security-topics-22 section 2.2.2
Thanks to OAuch for pointing out this issue
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 10:14:16 +0200] rev 5515
mod_http_oauth2: Record hash of client_id to allow future verification
RFC 6819 section 5.2.2.2 states that refresh tokens MUST be bound to the
client. In order to do that, we must record something that can
definitely tie the client to the grant. Since the full client_id is so
large (why we have this client_subset function), a hash is stored
instead.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 10:12:46 +0200] rev 5514
mod_http_oauth2: Add client verification wrapper function
Fixes the weird ok, data return format from util.jit, but the real
reason is to add some preparation steps here.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 08:59:59 +0200] rev 5513
mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749
These are mostly for the various Client-facing endpoints, so the chance
of browsers being involved is slightly lower than with the User-facing
authorization endpoint, which already sent the Cache-Control header.
Thanks to OAuch for pointing out.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 08:59:29 +0200] rev 5512
mod_http_oauth2: Linkify mod_client_management in README
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 20:02:45 +0200] rev 5511
mod_http_oauth2: Fix messed up section about redirect_uris requirements
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 19:55:36 +0200] rev 5510
mod_http_oauth2: Restructure description of client metadata requirements
Previously quite a compact block of text, maybe this is easier to read.
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 19:37:17 +0200] rev 5509
mod_http_oauth2: Correct loopback URL example
The s in the scheme should not be there, only unencrypted http to
loopback interface is allowed.
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 18:32:59 +0200] rev 5508
mod_groups_oidc: Expose groups to OAuth clients
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 18:16:18 +0200] rev 5507
mod_oidc_userinfo_vcard4: Advertise OpenID scopes via new mechanism
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 18:16:13 +0200] rev 5506
mod_http_oauth2: Add provisions for dynamically adding simple scopes
This lets additional modules define what scopes they might add to the
userinfo endpoint, or other things.
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 16:37:03 +0200] rev 5505
mod_http_oauth2: Sort imports
Piped through `sort -k5` thus sorting by module name. Sort order makes
it easy to know where to insert new imports.
Kim Alvefur <zash@zash.se> [Thu, 01 Jun 2023 02:33:05 +0200] rev 5504
mod_http_oauth2: Fix closing h1 tag
Kim Alvefur <zash@zash.se> [Wed, 31 May 2023 22:37:51 +0200] rev 5503
mod_auth_oauth_external: Correct docs about default scope
Yet another failure of auto-complete?
Kim Alvefur <zash@zash.se> [Wed, 31 May 2023 19:31:45 +0200] rev 5502
misc/lnav: Add a README with installation instructions
Kim Alvefur <zash@zash.se> [Wed, 31 May 2023 18:04:30 +0200] rev 5501
misc/lnav: Fix delimiting of timestamp in pattern
The string with the timestamp format in core.loggingmanager does end
with a space, so having the exact same string here is nice, but the
pattern did not reflect this.
Kim Alvefur <zash@zash.se> [Wed, 31 May 2023 17:59:56 +0200] rev 5500
misc/lnav: Fix timestamp-format to be an array as per schema
Kim Alvefur <zash@zash.se> [Wed, 31 May 2023 03:44:04 +0200] rev 5499
mod_http_oauth2: Create proper template for OOB code delivery
This also improves security by reusing the security and cache headers,
where mod_http_errors/http-message doesn't add such headers.
Colors selected by taking rotating the error colors, rrggbb -> ggbbrr
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 15:49:39 +0200] rev 5498
mod_http_oauth2: Add an example of client registration
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 15:48:02 +0200] rev 5497
mod_http_oauth2: Document client registration requirements
Because they go a bit further than the basics in the RFC
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 15:38:38 +0200] rev 5496
mod_http_debug: Handle any path under /debug/* as well
Sometimes things encode useful info in paths. Could also help if you add
path components in a reverse proxy.
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 15:37:15 +0200] rev 5495
mod_http_debug: Log some extended info about requests
If you point something external at this module, you don't get the
response body back, hence it can be useful to see some details in the
log as well.
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 15:36:04 +0200] rev 5494
mod_http_debug: Handle more HTTP methods
Often you might want to see what POST data was sent, or such.
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 15:20:04 +0200] rev 5493
mod_http_debug: Add a brief README
Kim Alvefur <zash@zash.se> [Fri, 26 May 2023 14:32:59 +0200] rev 5492
mod_rest/example: Include 'application_type' in registration
It defaults to "web", which in turn mandates https: redirect URIs, which
would not work with this example using the OOB URI.
Kim Alvefur <zash@zash.se> [Wed, 24 May 2023 16:34:35 +0200] rev 5491
mod_s2sout_override: Add support for Direct TLS
Well that was easy
Kim Alvefur <zash@zash.se> [Wed, 24 May 2023 15:56:26 +0200] rev 5490
mod_s2sout_override: New module for overriding s2s connections
This takes advantage of the new event added in Prosody rev d5f322dd424b
which enables a cleaner way to override the connection using a resolver.
Matthew Wild <mwild1@gmail.com> [Tue, 23 May 2023 19:40:38 +0100] rev 5489
mod_pubsub_alertmanager: Support for per-path config overrides
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 21:11:13 +0200] rev 5488
mod_muc_moderation: Point to new Conversations issue tracker
Matthew Wild <mwild1@gmail.com> [Thu, 18 May 2023 18:15:50 +0200] rev 5487
mod_invites_adhoc: Fall back to generic allow_user_invites for role-less users
Fixes #1752
Backport of Prosody rev dc0c20753d6c
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 18:08:40 +0200] rev 5486
mod_invites{,_adhoc,_register}: Recommend using version included with prosody
Thanks gooya
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 17:56:10 +0200] rev 5485
mod_welcome_page: Remove dependency on mod_invites (included with Prosody)
Thanks gooya
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:51:48 +0200] rev 5484
mod_http_oauth2: Allow CORS for browser clients
Needed for web clients to reach i.e. the token endpoint.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:47:54 +0200] rev 5483
mod_http_oauth2: Disable Referrer via header
Prevents the various parameters from potentially ending up in logs, as
well as reduces the size of requests.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:25:11 +0200] rev 5482
mod_http_oauth2: Always render errors as HTML for OOB redirect URI
No invalid or insecure redirect URIs should make it to this point, so
the warning can be removed.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:17:58 +0200] rev 5481
mod_http_oauth2: Use validated redirect URI when returning errors to client
Parsing it from the query again without the validation done by
get_redirect_uri() may lead to open redirect issues.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:07:37 +0200] rev 5480
mod_http_oauth2: Return OAuth error for authz code store error
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:02:09 +0200] rev 5479
mod_http_oauth2: Validate redirect_uri before using it for error redirects
To be extra sure that it is safe to use in redirects from this point on.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:41:23 +0200] rev 5478
mod_http_oauth2: Don't return redirects or HTML from token endpoint
These are used by the client, not the user, so makes more sense to
return JSON directly instead of a redirect or HTML error page when .
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:27:27 +0200] rev 5477
mod_http_oauth2: Tweak formatting of log message
No need to `or ""` anymore since Prosody rev e88db5668cfb (0.11.0) and
the %q format should produce either (nil) or "http://example"
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:43:17 +0200] rev 5476
mod_http_oauth2: Always show early errors to user
Before having validated the client_id, communicating an error back to
the client via redirect would make this an open redirect, so we may just
as well skip past that logic, and especially the warning log message.