Kim Alvefur <zash@zash.se> [Sat, 14 Oct 2023 21:40:20 +0200] rev 5674
mod_storage_s3: Handle signing of request ?query part
Kim Alvefur <zash@zash.se> [Sat, 14 Oct 2023 17:31:06 +0200] rev 5673
mod_storage_s3: Beginnings of an experimental S3 storage driver
Tested against MinIO
Kim Alvefur <zash@zash.se> [Fri, 06 Oct 2023 18:34:39 +0200] rev 5672
mod_measure_modules: Report module statuses via OpenMetrics
Someone in the chat asked about a health check endpoint, which reminded
me of mod_http_status, which provides access to module statuses with
full details. After that, this idea came about, which seems natural.
As noted in the README, it could be used to monitor that critical
modules are in fact loaded correctly.
As more modules use the status API, the more useful this module and
mod_http_status becomes.
Kim Alvefur <zash@zash.se> [Fri, 06 Oct 2023 16:49:57 +0200] rev 5671
mod_http_health: Provide a health check HTTP endpoint
Someone in the chat asked about a health check endpoint, which reminded
me of mod_http_status, which was simplified to produce this module.
Kim Alvefur <zash@zash.se> [Sun, 01 Oct 2023 16:39:48 +0200] rev 5670
mod_rest/rest.sh: Restore default read-only behavior and the -rw flag
Kim Alvefur <zash@zash.se> [Thu, 28 Sep 2023 16:38:29 +0200] rev 5669
mod_http_oauth2: Include 'amr' claim in ID Token
This essentially just says "password authentication was used". This
field could later be used to indicate whether e.g. MFA was used.
Stephen Paul Weber <singpolyma@singpolyma.net> [Thu, 21 Sep 2023 18:47:27 -0500] rev 5668
mod_push2: restore offline message hook
Filtering is mostly handled in handle_notify_request now
Stephen Paul Weber <singpolyma@singpolyma.net> [Wed, 20 Sep 2023 23:05:29 -0500] rev 5667
mod_push2: Need to include the public key with the JWT
Stephen Paul Weber <singpolyma@singpolyma.net> [Tue, 19 Sep 2023 21:39:14 -0500] rev 5666
mod_push2: Add note about luaossl patch
Stephen Paul Weber <singpolyma@singpolyma.net> [Tue, 19 Sep 2023 21:36:13 -0500] rev 5665
mod_push2: Fix unbalanced quote in readme
Stephen Paul Weber <singpolyma@singpolyma.net> [Tue, 19 Sep 2023 21:33:40 -0500] rev 5664
mod_push2: Add back body truncation logic
Stephen Paul Weber <singpolyma@singpolyma.net> [Tue, 19 Sep 2023 21:21:17 -0500] rev 5663
Initial work on Push 2.0
Kim Alvefur <zash@zash.se> [Tue, 19 Sep 2023 15:03:01 +0200] rev 5662
mod_muc_adhoc_bots: Fix unbalanced quote in metadata section
Kim Alvefur <zash@zash.se> [Tue, 19 Sep 2023 14:55:56 +0200] rev 5661
mod_muc_members_json: Fix potential error when removing old affiliations
Found this uncommitted change on a production server...
The affiliation data may been `nil` at some point, triggering an error?
Kim Alvefur <zash@zash.se> [Tue, 19 Sep 2023 13:22:00 +0200] rev 5660
mod_http_muc_log: Correctly handle changed or retracted reactions
Since per XEP-0444 each reaction should overwrite all previous reactions
on a particular message from a particular occupant.
Previously repeated reactions would be counted again and retractions
were not handled.
Kim Alvefur <zash@zash.se> [Mon, 18 Sep 2023 18:34:55 +0200] rev 5659
mod_muc_members_json: Demonstrate support for more than one JID per list
Kim Alvefur <zash@zash.se> [Mon, 18 Sep 2023 18:33:01 +0200] rev 5658
mod_muc_members_json: Fix invalid JSON in README
Stephen Paul Weber <singpolyma@singpolyma.net> [Mon, 18 Sep 2023 08:24:19 -0500] rev 5657
Merge
Stephen Paul Weber <singpolyma@singpolyma.net> [Mon, 18 Sep 2023 08:22:07 -0500] rev 5656
mod_muc_adhoc_bots: add module
Stephen Paul Weber <singpolyma@singpolyma.net> [Sat, 06 May 2023 19:42:08 -0500] rev 5655
mod_pubsub_subscription: support subscribing from a bare JID
Allow subscribing from a bare JID on the component instead of only the component
host, useful for subscribing to whitelist access model nodes that want to see
a particular JID in the from.
Stephen Paul Weber <singpolyma@singpolyma.net> [Sat, 06 May 2023 19:40:23 -0500] rev 5654
merge
Stephen Paul Weber <singpolyma@singpolyma.net> [Wed, 22 Feb 2023 22:47:45 -0500] rev 5653
mod_muc_restrict_avatars: Block MUC participant avatars for non-members
Kim Alvefur <zash@zash.se> [Sun, 17 Sep 2023 13:36:30 +0200] rev 5652
misc/mtail: Start of an mtail config
Stashing it here in case anyone wants to continue working on it.
Currently it's only counting log messages by level.
Due to the permissions set by systemd on Prosody logs, mtail never
managed to start correctly until permissions were manually relaxed.
Kim Alvefur <zash@zash.se> [Mon, 11 Sep 2023 18:03:18 +0200] rev 5651
mod_muc_moderation: Mention that it works with mod_storage_xmlarchive (thanks Menel)
Kim Alvefur <zash@zash.se> [Mon, 11 Sep 2023 10:48:31 +0200] rev 5650
mod_http_oauth2: Apply refresh token ttl to refresh token instead of grant
The intent in 59d5fc50f602 was for refresh tokens to extend the lifetime
of the grant, but the refresh token ttl was applied to the grant and
mod_tokenauth does not change it, leading to the grant expiring
regardless of refresh token usage.
This makes grant lifetimes unlimited, which seems to be standard
practice in the wild.
Kim Alvefur <zash@zash.se> [Mon, 11 Sep 2023 10:19:38 +0200] rev 5649
mod_client_management: Show grant expiry in shell command
I want to know when my OAuth2 grant expires and that it really is
extended by refreshing.
Kim Alvefur <zash@zash.se> [Sat, 09 Sep 2023 22:51:25 +0200] rev 5648
mod_http_oauth2: Tweak wording in README to point out that this is an AS
Kim Alvefur <zash@zash.se> [Sat, 09 Sep 2023 21:42:24 +0200] rev 5647
mod_http_oauth2: Allow 'login_hint' as a substitute for OIDC 'select_account' prompt
If the OIDC 'prompt' parameter does not contain the 'select_account'
then it wants us to skip account selection, which means we have to
figure which account to authenticate somehow. One way could be have
this stored in a cookie from a previous successful login. Another way
would be to have the account passed as a hint, which is what we add
here.
Kim Alvefur <zash@zash.se> [Sun, 27 Aug 2023 09:49:35 +0200] rev 5646
mod_http_oauth2: Remove broken in-CSS templating
Because util.interpolation with a "%b{}" pattern only matches the outer
brackets, so variables inside them would not work unless the pattern is
changed (also considered).
Kim Alvefur <zash@zash.se> [Sun, 27 Aug 2023 15:33:14 +0200] rev 5645
mod_bidi: Really extra finally fix auto-linking to mod_s2s_bidi
Kim Alvefur <zash@zash.se> [Sun, 27 Aug 2023 15:31:46 +0200] rev 5644
mod_bidi: Fix README again
Kim Alvefur <zash@zash.se> [Sun, 27 Aug 2023 15:30:00 +0200] rev 5643
mod_bidi: Fix autolink syntax
Thanks pandoc ... not
Kim Alvefur <zash@zash.se> [Sun, 27 Aug 2023 15:28:53 +0200] rev 5642
mod_bidi: Add warning about use with 0.12
Kim Alvefur <zash@zash.se> [Sat, 26 Aug 2023 14:49:45 +0200] rev 5641
mod_rest/rest.sh: Silence shellcheck SC1091
Stops it from trying and failing to read the config file, since the path
uses variables.
Kim Alvefur <zash@zash.se> [Sat, 26 Aug 2023 14:37:04 +0200] rev 5640
mod_rest/rest.sh: Update to use httpie-oauth2 plugin
This bash implementation of OAuth2/OIDC was growing to the point where
it needed a massive refactor, which made me look into alternatives where
I finally settled on implementing oauth2 in a plugin for HTTPie.
Kim Alvefur <zash@zash.se> [Sat, 26 Aug 2023 01:40:23 +0200] rev 5639
mod_http_oauth2: Specify language in templates
Might be used as hint to translation systems.
Maybe one day we'll have i18n built in, but this is not that day!
Kim Alvefur <zash@zash.se> [Thu, 17 Aug 2023 08:34:17 +0200] rev 5638
mod_http_oauth2: Remove duplicated word in README introduced in 734788d8bfc3
Kim Alvefur <zash@zash.se> [Wed, 16 Aug 2023 23:56:40 +0200] rev 5637
mod_http_oauth2: Allow omitting application type for native apps
This derives "application_type":"native" from the first redirect URI
when registering a client, so that it can be omitted without the default
value of "web" causing the very same redirect URIs to be rejected.
Kim Alvefur <zash@zash.se> [Wed, 16 Aug 2023 11:17:28 +0200] rev 5636
mod_client_management: Show timestamp of first client appearance
Kim Alvefur <zash@zash.se> [Tue, 08 Aug 2023 17:04:50 +0200] rev 5635
mod_http_oauth2: Improve templates
XML-ness by avoiding value-less attributes or whatever they're called
Plus some Aria label tweaks
Kim Alvefur <zash@zash.se> [Mon, 07 Aug 2023 22:52:14 +0200] rev 5634
mod_http_oauth2: Add autocomplete hint to username field
Kim Alvefur <zash@zash.se> [Sun, 06 Aug 2023 12:07:05 +0200] rev 5633
mod_http_oauth2: Make storage of various code more consistent
I'm not sure how any of this worked at all.
Kim Alvefur <zash@zash.se> [Fri, 04 Aug 2023 01:11:01 +0200] rev 5632
mod_http_oauth2: Bail on invalid or expired device flow state token
Kim Alvefur <zash@zash.se> [Mon, 31 Jul 2023 07:28:09 +0200] rev 5631
mod_http_oauth2: Tweak method of centering the UI
The percentage here was relative to the viewport width, which on some
very wide screens may put the UI slightly outside of the view, requiring
scrolling to see.
By using a unit relative to the height of the viewport, this is avoided
and should work better. But no guarantees, it's still possible to resize
the browser or adjust font sizes so that the UI goes out of view.
Kim Alvefur <zash@zash.se> [Mon, 31 Jul 2023 02:07:58 +0200] rev 5630
mod_http_oauth2: Optionally enforce authentication on revocation endpoint
But why do OAuth require this? If a token leaks, why couldn't anyone
revoke it?
Kim Alvefur <zash@zash.se> [Mon, 31 Jul 2023 02:07:24 +0200] rev 5629
mod_http_oauth2: Present errors in HTML <dialog>
Nice semantic things that don't require JavaScript
Kim Alvefur <zash@zash.se> [Mon, 31 Jul 2023 02:05:49 +0200] rev 5628
mod_http_oauth2: Move site name into <header>
Because it's the site header
Kim Alvefur <zash@zash.se> [Mon, 31 Jul 2023 02:04:05 +0200] rev 5627
mod_http_oauth2: Conform to XHTML in templates
Mostly because pedantic. Seems appropriate.
Nice to be able to use an XML parser.
Kim Alvefur <zash@zash.se> [Thu, 27 Jul 2023 15:04:38 +0200] rev 5626
mod_s2sout_override: Add support for one-level wildcards (e.g. *.example.net)
Kim Alvefur <zash@zash.se> [Thu, 27 Jul 2023 15:00:26 +0200] rev 5625
mod_s2sout_override: Add support for a catch-all target
Kim Alvefur <zash@zash.se> [Wed, 26 Jul 2023 16:23:13 +0200] rev 5624
mod_invites_page: Produce URL without config from prosodyctl in trunk
Requires Prosody trunk rev 5884d58707fa or later.
Kim Alvefur <zash@zash.se> [Tue, 25 Jul 2023 11:01:58 +0200] rev 5623
mod_http_oauth2: Don't use new time period API just yet
Mistake in commit splitting, this was meant for later.
On the other hand, this is trunk only anyway.
Kim Alvefur <zash@zash.se> [Mon, 24 Jul 2023 01:26:41 +0200] rev 5622
mod_http_oauth2: Clean cache less frequently
Seems unlikely that enough unused and expired codes accumulate to
warrant an hourly job.
Kim Alvefur <zash@zash.se> [Mon, 24 Jul 2023 01:30:14 +0200] rev 5621
mod_http_oauth2: Shorten default token validity periods
With refresh tokens, short lifetime for access tokens is not a problem.
The arbitrary choice of one hour seems reasonable. RFC 6749 has it as
example value.
One week for refresh tokens matching the default archive retention
period. This means that a client that remains unused for one week will
have to sign in again. An actively used client will continually push
that forward with each used refresh token.
Kim Alvefur <zash@zash.se> [Sun, 23 Jul 2023 02:56:08 +0200] rev 5620
mod_http_oauth2: Implement refresh token rotation
Makes refresh tokens one-time-use, handing out a new refresh token with
each access token. Thus if a refresh token is stolen and used by an
attacker, the next time the legitimate client tries to use the previous
refresh token, it will not work and the attack will be noticed. If the
attacker does not use the refresh token, it becomes invalid after the
legitimate client uses it.
This behavior is recommended by draft-ietf-oauth-security-topics
Kim Alvefur <zash@zash.se> [Fri, 21 Jul 2023 00:38:04 +0200] rev 5619
mod_http_oauth2: Hint at future deprecation of resource owner password grant
It is strongly discouraged by all the modern OAuth 2.0 (and 2.1) documents.
Kim Alvefur <zash@zash.se> [Fri, 21 Jul 2023 00:37:34 +0200] rev 5618
mod_http_oauth2: Allow a shorter form of the device grant in config
Long URI is long
Kim Alvefur <zash@zash.se> [Fri, 21 Jul 2023 00:29:24 +0200] rev 5617
mod_http_oauth2: Mention Device flow in list of flows in README
Kim Alvefur <zash@zash.se> [Thu, 20 Jul 2023 10:38:33 +0200] rev 5616
mod_muc_moderation: Stamp XEP-0421 occupant-id for the acting moderator
Gives clients some hint about which moderator it was who did the deed.
The @by attribute does have the nick of the actor, but they could change
their nickname at some point, which is what occupant-id solves.
Ref #1816
Kim Alvefur <zash@zash.se> [Thu, 20 Jul 2023 10:37:27 +0200] rev 5615
mod_muc_moderation: Copy XEP-0421 occupant-id from retracted message
Lets clients correlate the sender of whatever was retracted by
moderators. Behavior limited to Prosody 0.12, otherwise there are no
assurances of the origin of the occupant-id tag.
Ref #1816
Kim Alvefur <zash@zash.se> [Wed, 19 Jul 2023 17:01:40 +0200] rev 5614
mod_muc_block_pm: Advertise that Moderators are allowed to send PMs
But there appears to be no way in XEP-0045 to advertise that Anyone can
send PMs *to* Moderators.
Kim Alvefur <zash@zash.se> [Wed, 19 Jul 2023 16:59:16 +0200] rev 5613
mod_muc_block_pm: Allow private messages to yourself
No harm in it.
Beagle apparently uses it for XEP-0333 in public channels
Kim Alvefur <zash@zash.se> [Wed, 19 Jul 2023 13:05:47 +0200] rev 5612
mod_http_oauth2: Show errors on device flow user code entry page
If the user enters the code incorrectly, having to click back to try
again is no fun. Instead, show the error and the code entry form again.
Kim Alvefur <zash@zash.se> [Wed, 19 Jul 2023 12:58:04 +0200] rev 5611
mod_http_oauth2: Namespace the various codes to minimize confusion
Both for the programmer and in OAuth flows.
While unlikely, it should not be possible to cause weirdness e.g. by
typing a client id and authorization code into the device code entry.
Kim Alvefur <zash@zash.se> [Mon, 17 Jul 2023 16:40:45 +0200] rev 5610
mod_default_bookmarks: Include 'autojoin' in examples
The text does mention this, but who reads that?
Kim Alvefur <zash@zash.se> [Sat, 15 Jul 2023 12:27:24 +0200] rev 5609
mod_http_oauth2: Improve a description in schema
Kim Alvefur <zash@zash.se> [Sat, 15 Jul 2023 10:45:26 +0200] rev 5608
editorconfig: Document established conventions
Kim Alvefur <zash@zash.se> [Sat, 15 Jul 2023 09:16:19 +0200] rev 5607
mod_muc_limits: Drop unsupported Prosody versions from Compatibility table
Kim Alvefur <zash@zash.se> [Sat, 15 Jul 2023 09:14:57 +0200] rev 5606
mod_muc_limits: Set syntax of config snippets to enable syntax highlighting
Kim Alvefur <zash@zash.se> [Sat, 15 Jul 2023 09:09:41 +0200] rev 5605
mod_muc_limits: Reduce cost of multi-line messages, make configurable
Typing a 5-line message preceded by a few chat states would have hit the
default limit.
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 16:20:54 +0200] rev 5604
mod_client_management: Make ID column dynamically sized
Its width can vary more than expected (because it can contain resources)
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 16:09:43 +0200] rev 5603
mod_client_management: Fix traceback if no last seen timestamp available
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 16:04:11 +0200] rev 5602
mod_http_oauth2: Add titles and descriptions to registration schema
Since it is exposed publicly, it can serve as documentation.
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 15:44:55 +0200] rev 5601
mod_client_management: Fix missing equality check
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 15:16:06 +0200] rev 5600
mod_client_management: Allow revoking a specific client version
Could be useful in case of a security issue affecting a particular
version. Even if in that case, the more likely use case is revoking all
older versions except the fixed one(s), this can be done with a loop or
improved later.
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 15:01:56 +0200] rev 5599
mod_client_management: Add way to revoke (one) client by software
This is a bit hacky but it works.
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 13:25:30 +0200] rev 5598
mod_client_management: Add shell command to revoke client access
Could be used if an operator detects a compromised client.
Kim Alvefur <zash@zash.se> [Thu, 13 Jul 2023 23:26:02 +0200] rev 5597
mod_client_management: Include software version in table (when known)
Showing software versions could be useful for statistical reasons, e.g.
determining how quickly (or not) users upgrade, but most importantly for
revoking vulnerable clients versions in case of a security issue.
Kim Alvefur <zash@zash.se> [Thu, 13 Jul 2023 23:24:23 +0200] rev 5596
mod_client_management: Include the client id in table in shell command
Since this is the identifier used when revoking clients it is useful to
show it.
Kim Alvefur <zash@zash.se> [Wed, 12 Jul 2023 15:47:20 +0200] rev 5595
mod_muc_block_pm: Update to 0.12+ API, use roles instead of affiliations
The module was possibly broken with 0.12 before.
This changes the behavior to allow only messages to or from moderators.
Kim Alvefur <zash@zash.se> [Mon, 10 Jul 2023 16:10:57 +0200] rev 5594
mod_http_muc_log: Fix redirect bug
If you somehow went to /muc_log/room/yyyy-mm-dd/something it would send
you in a redirect loop that continuously added path components until the
path can't be parsed anymore.
This should ensure that /muc_log/room/date/ is simply 404'd
Kim Alvefur <zash@zash.se> [Mon, 10 Jul 2023 07:16:54 +0200] rev 5593
mod_http_oauth2: Implement RFC 8628 Device Authorization Grant
Meant for devices without easy access to a web browser, such as
refrigerators and toasters, which definitely need to be running
OAuth-enabled XMPP clients!
Could be used for CLI tools that might have trouble running a http
server needed for the authorization code flow.
Kim Alvefur <zash@zash.se> [Fri, 07 Jul 2023 19:45:48 +0200] rev 5592
mod_http_oauth2: Mention support for RFC 9207
Matthew Wild <mwild1@gmail.com> [Fri, 07 Jul 2023 02:02:09 +0100] rev 5591
mod_muc_members_json: Set imported hats to active by default
Matthew Wild <mwild1@gmail.com> [Fri, 07 Jul 2023 01:25:44 +0100] rev 5590
mod_muc_members_json: New module to import MUC membership from a JSON URL
Kim Alvefur <zash@zash.se> [Fri, 07 Jul 2023 00:10:37 +0200] rev 5589
mod_rest: Use logger of HTTP request in trunk
In Prosody trunk rev c975dafa4303 each HTTP request gained its own log
sink, to make it easy to log things related to each request and group
those messages. Especially where async is used, spreading the request
and response apart as mod_rest does with iq stanzas, this grouped
logging should help find related messages.
Kim Alvefur <zash@zash.se> [Fri, 30 Jun 2023 23:58:03 +0200] rev 5588
mod_measure_lua: Add brief README
Kim Alvefur <zash@zash.se> [Fri, 30 Jun 2023 23:57:37 +0200] rev 5587
mod_groups_oidc: Add dependency on mod_groups_internal
Doesn't make much sense without it, no?
Matthew Wild <mwild1@gmail.com> [Thu, 29 Jun 2023 15:58:33 +0100] rev 5586
Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Kim Alvefur <zash@zash.se> [Wed, 28 Jun 2023 21:47:22 +0200] rev 5585
mod_http_muc_log: Hide joins and parts by default
Now both ?p=s(how) and ?p=h(ide) are understood and propagated trough
links, with unset being being hide.
Kim Alvefur <zash@zash.se> [Mon, 26 Jun 2023 00:19:05 +0200] rev 5584
mod_http_oauth2: Only add nonce when issuing a client_secret
Not as important that the client_id be unique if there's no
client_secret since the point was to make each issued client_secret
distinct.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 23:53:15 +0200] rev 5583
mod_pubsub_feeds: Specify acceptable formats in Accept header
Don't need to a condition on the etag, if it's nil it's left out.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 20:15:44 +0200] rev 5582
mod_pubsub_feeds: Pass feed data as argument instead of storing on object
Feeds can be quite large, why were we keeping them after parsing???
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 19:58:45 +0200] rev 5581
mod_pubsub_feeds: Retrieve only the most recent item to compare
Only need one item id.
Fetching all items probably caused memory usage peaks.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 19:52:24 +0200] rev 5580
mod_pubsub_feeds: Handle node already existing
Don't need to create it if it exists
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:48:21 +0200] rev 5579
mod_pubsub_feeds: Remove comment, this text is in the README
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:45:25 +0200] rev 5578
mod_pubsub_feeds: Remove broken attempt to generate an ID from content
This seems to never have worked correctly and now the timestamp is out
of scope anyway.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:42:57 +0200] rev 5577
mod_pubsub_feeds: Fix mixup between feed object and parsed feed
Did the HMAC thing ever work?
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:41:50 +0200] rev 5576
mod_pubsub_feeds: Create pubsub nodes on module load instead of later
Should produce faster feedback of things being wrong.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:27:55 +0200] rev 5575
mod_pubsub_feeds: Track latest timestamp seen in feeds instead of last poll
This should ensure that an entry that has a publish timestmap after the
previously oldest post, but before the time of the last poll check, is
published to the node.
Previously if an entry would be skipped if it was published at 13:00
with a timestamp of 12:30, where the last poll was at 12:45.
For feeds that lack a timestamp, it now looks for the first post that is
not published, assuming that the feed is in reverse chronological order,
then iterates back up from there.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:24:12 +0200] rev 5574
mod_pubsub_feeds: Add new interval setting in seconds (old still works)
To match most other such settings.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:20:57 +0200] rev 5573
mod_pubsub_feeds: Disable WebSub (formerly PubSubHubbub) by default
I have seen no recent evidence of this being used or supported by
anything anywhere anymore.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 11:12:07 +0200] rev 5572
mod_http_oauth2: Always show list of requested scopes
Upon further reflection, these are probably too important to hide behind
a <details> thing.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 00:00:02 +0200] rev 5571
mod_muc_limits: Add a limit on number of bytes in a message body
Kim Alvefur <zash@zash.se> [Sat, 24 Jun 2023 23:56:13 +0200] rev 5570
mod_muc_limits: Add a limit on number of lines per message
More vertical space -> more cost
Kim Alvefur <zash@zash.se> [Sat, 24 Jun 2023 23:53:48 +0200] rev 5569
mod_muc_limits: Normalise README markdown syntax (thanks pandoc)
Kim Alvefur <zash@zash.se> [Sat, 24 Jun 2023 23:51:31 +0200] rev 5568
mod_muc_limits: Raise cost for multi-line messages
Kim Alvefur <zash@zash.se> [Thu, 22 Jun 2023 22:00:51 +0200] rev 5567
Back out 22784f001b7f: Documentation change did not match code (thanks bronko)
Kim Alvefur <zash@zash.se> [Thu, 22 Jun 2023 21:59:49 +0200] rev 5566
mod_http_oauth2: Rearrange description of redirect URIs requirements
So that they're in one place only instead of sorta twice.
Kim Alvefur <zash@zash.se> [Thu, 22 Jun 2023 09:18:32 +0200] rev 5565
mod_http_oauth2: Add a more complete client registration example
More fields from RFC 7591. We should probably mention and recommend more
of them, especially the ones that are recorded in grants.
Kim Alvefur <zash@zash.se> [Tue, 20 Jun 2023 01:13:51 +0200] rev 5564
mod_http_oauth2: Strip JWKS metadata since we do not understand that
Maybe one day whatever this is will be understood, but not this day!
Kim Alvefur <zash@zash.se> [Tue, 20 Jun 2023 01:11:34 +0200] rev 5563
mod_http_oauth2: Strip unknown client metadata
Per RFC 7591
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
This was previously done but unintentionally removed in 90449babaa48
Kim Alvefur <zash@zash.se> [Mon, 19 Jun 2023 01:26:56 +0200] rev 5562
mod_rest: Map the archive-id attribute in MAM result items
I was wondering why this wasn't in the JSON output
Kim Alvefur <zash@zash.se> [Sun, 18 Jun 2023 22:23:24 +0200] rev 5561
mod_rest: Include full_jid property on origin
Fixes permission check in disco#info query to your own account, where
the 'to' would have been stripped since it equals the account JID,
leaving mod_disco passing nil, which triggers an error in module:may()
Kim Alvefur <zash@zash.se> [Sun, 18 Jun 2023 15:28:23 +0200] rev 5560
mod_oidc_userinfo_vcard4: Remove unused import
Kim Alvefur <zash@zash.se> [Sun, 18 Jun 2023 15:28:13 +0200] rev 5559
mod_oidc_userinfo_vcard4: Fix typo
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 19:03:32 +0200] rev 5558
mod_http_oauth2: Make allowed locales configurable
Explicit > Implicit
Instead of allowing anything after #, allow only the explicitly
configured locales to be used.
Default to empty list because using these is not supported yet.
This potentially limits the size of the client_id, which is already
quite large. Nothing prevents clients from registering a whole
client_id per locale, which would not require translation support on
this side.
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 18:15:00 +0200] rev 5557
mod_http_oauth2: Improve error messages for URI properties
Since there are separate validation checks for URI properties, including
that they should use https, with better and more specific error reporting.
Reverts 'luaPattern' to 'pattern' which is not currently supported by
util.jsonschema, but allows anything that retrieves the schema over http
to validate against it, should they wish to do so.
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 16:28:13 +0200] rev 5556
mod_rest: Describe the error 'by' property in OpenAPI spec
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 16:26:33 +0200] rev 5555
mod_rest: List all error conditions in OpenAPI spec
These are not handled by datamanager but by util.stanza and util.error,
so they are not represented in the JSON schema file.