mod_http_oauth2: Tweak fallback error text Since the oauth error is more like the error condition, a symbolic error code, not the most human-friendly. Many error cases do have human-readable error descriptions that should be fine on their own, or changed to be. As a fallback, capitalize the error name.

mod_http_oauth2: Improve registration schema documentation parts

mod_http_oauth2: Do not enforce PKCE on Device and OOB flows PKCE does not appear to be used with the Device flow. I have found no mention of any interaction between those standards. Since no data is delivered via redirects in these cases, PKCE may not serve any purpose. This is mostly a problem because we reuse the authorization code to implement the Device and OOB flows.

mod_groups_internal: Return group name instead of MUC name if MUC has no name

mod_server_info: New module to add custom service extension forms to disco

mod_firewall: TO/FROM ROLE: Handle JIDs with no role (thanks Zash)

mod_firewall: Fix TO/FROM ROLE These conditions did not match because get_jid_role() returns a role object. We want to compare based on the name.

mod_measure_active_users: Fix inverted logic (thanks mirux)

mod_http_oauth2: Use color-scheme to get nice dark mode defaults

mod_isolate_host: Fix inverted logic in log message

mod_s2s_status: Add missing return (thanks Zash)

mod_c2s_conn_throttle: Reduce log level from error->info Our general policy is that "error" should never be triggerable by remote entities, and that it is always about something that requires admin intervention. This satisfies neither condition. The "warn" level can be used for unexpected events/behaviour triggered by remote entities, and this could qualify. However I don't think failed auth attempts are unexpected enough. I selected "info" because it is what is also used for other notable session lifecycle events.

mod_http_admin_api: Abort request if no valid username

mod_http_admin_api: Fix some luacheck warnings and code style issues

mod_http_admin_api: Support PATCH for user enabled status

mod_http_admin_api: Support for setting user account enabled status

mod_http_admin_api: Only include user deletion_request if account is disabled

mod_http_admin_api: Return avatar metadata from get_user_info()

mod_audit_auth: Improve user-agent building (fixes traceback)

mod_http_admin_api: Include information about pending deletion request, if any

mod_measure_active_users: Use the new mod_lastlog2 API

mod_measure_active_users: Exclude disabled user accounts from counts ...if usermanager exposes that API (it's in trunk, not 0.12).

mod_lastlog2: Fix to interpret stored data structure correctly

mod_http_admin_api: Include user account status and activity in get_user_info

mod_lastlog2: Expose API to query the last active time of a user

mod_sasl_ssdp: New module implementing XEP-0474 SASL SCRAM Downgrade Protection

mod_log_sasl_mech: Handle auth event from other than mod_saslauth E.g. mod_http_oauth2

mod_http_oauth2: Add logger to "session" for auth event So many assumptions in so many other modules about auth-success/fail

mod_http_oauth2: Move some code earlier

mod_restrict_xmpp: Allow all XEP-0199 pings to self No permission to send a ping without a 'to' attribute?