mod_storage_s3: Handle signing of request ?query part

mod_storage_s3: Beginnings of an experimental S3 storage driver Tested against MinIO

mod_measure_modules: Report module statuses via OpenMetrics Someone in the chat asked about a health check endpoint, which reminded me of mod_http_status, which provides access to module statuses with full details. After that, this idea came about, which seems natural. As noted in the README, it could be used to monitor that critical modules are in fact loaded correctly. As more modules use the status API, the more useful this module and mod_http_status becomes.

mod_http_health: Provide a health check HTTP endpoint Someone in the chat asked about a health check endpoint, which reminded me of mod_http_status, which was simplified to produce this module.

mod_rest/rest.sh: Restore default read-only behavior and the -rw flag

mod_http_oauth2: Include 'amr' claim in ID Token This essentially just says "password authentication was used". This field could later be used to indicate whether e.g. MFA was used.

mod_push2: restore offline message hook Filtering is mostly handled in handle_notify_request now

mod_push2: Need to include the public key with the JWT

mod_push2: Add note about luaossl patch

mod_push2: Fix unbalanced quote in readme

mod_push2: Add back body truncation logic

Initial work on Push 2.0

mod_muc_adhoc_bots: Fix unbalanced quote in metadata section

mod_muc_members_json: Fix potential error when removing old affiliations Found this uncommitted change on a production server... The affiliation data may been `nil` at some point, triggering an error?

mod_http_muc_log: Correctly handle changed or retracted reactions Since per XEP-0444 each reaction should overwrite all previous reactions on a particular message from a particular occupant. Previously repeated reactions would be counted again and retractions were not handled.

mod_muc_members_json: Demonstrate support for more than one JID per list

mod_muc_members_json: Fix invalid JSON in README

Merge

mod_muc_adhoc_bots: add module

mod_pubsub_subscription: support subscribing from a bare JID Allow subscribing from a bare JID on the component instead of only the component host, useful for subscribing to whitelist access model nodes that want to see a particular JID in the from.

merge

mod_muc_restrict_avatars: Block MUC participant avatars for non-members

misc/mtail: Start of an mtail config Stashing it here in case anyone wants to continue working on it. Currently it's only counting log messages by level. Due to the permissions set by systemd on Prosody logs, mtail never managed to start correctly until permissions were manually relaxed.

mod_muc_moderation: Mention that it works with mod_storage_xmlarchive (thanks Menel)

mod_http_oauth2: Apply refresh token ttl to refresh token instead of grant The intent in 59d5fc50f602 was for refresh tokens to extend the lifetime of the grant, but the refresh token ttl was applied to the grant and mod_tokenauth does not change it, leading to the grant expiring regardless of refresh token usage. This makes grant lifetimes unlimited, which seems to be standard practice in the wild.

mod_client_management: Show grant expiry in shell command I want to know when my OAuth2 grant expires and that it really is extended by refreshing.

mod_http_oauth2: Tweak wording in README to point out that this is an AS

mod_http_oauth2: Allow 'login_hint' as a substitute for OIDC 'select_account' prompt If the OIDC 'prompt' parameter does not contain the 'select_account' then it wants us to skip account selection, which means we have to figure which account to authenticate somehow. One way could be have this stored in a cookie from a previous successful login. Another way would be to have the account passed as a hint, which is what we add here.

mod_http_oauth2: Remove broken in-CSS templating Because util.interpolation with a "%b{}" pattern only matches the outer brackets, so variables inside them would not work unless the pattern is changed (also considered).

mod_bidi: Really extra finally fix auto-linking to mod_s2s_bidi

mod_bidi: Fix README again

mod_bidi: Fix autolink syntax Thanks pandoc ... not

mod_bidi: Add warning about use with 0.12

mod_rest/rest.sh: Silence shellcheck SC1091 Stops it from trying and failing to read the config file, since the path uses variables.

mod_rest/rest.sh: Update to use httpie-oauth2 plugin This bash implementation of OAuth2/OIDC was growing to the point where it needed a massive refactor, which made me look into alternatives where I finally settled on implementing oauth2 in a plugin for HTTPie.

mod_http_oauth2: Specify language in templates Might be used as hint to translation systems. Maybe one day we'll have i18n built in, but this is not that day!

mod_http_oauth2: Remove duplicated word in README introduced in 734788d8bfc3

mod_http_oauth2: Allow omitting application type for native apps This derives "application_type":"native" from the first redirect URI when registering a client, so that it can be omitted without the default value of "web" causing the very same redirect URIs to be rejected.

mod_client_management: Show timestamp of first client appearance

mod_http_oauth2: Improve templates XML-ness by avoiding value-less attributes or whatever they're called Plus some Aria label tweaks

mod_http_oauth2: Add autocomplete hint to username field

mod_http_oauth2: Make storage of various code more consistent I'm not sure how any of this worked at all.

mod_http_oauth2: Bail on invalid or expired device flow state token

mod_http_oauth2: Tweak method of centering the UI The percentage here was relative to the viewport width, which on some very wide screens may put the UI slightly outside of the view, requiring scrolling to see. By using a unit relative to the height of the viewport, this is avoided and should work better. But no guarantees, it's still possible to resize the browser or adjust font sizes so that the UI goes out of view.

mod_http_oauth2: Optionally enforce authentication on revocation endpoint But why do OAuth require this? If a token leaks, why couldn't anyone revoke it?

mod_http_oauth2: Present errors in HTML <dialog> Nice semantic things that don't require JavaScript

mod_http_oauth2: Move site name into <header> Because it's the site header

mod_http_oauth2: Conform to XHTML in templates Mostly because pedantic. Seems appropriate. Nice to be able to use an XML parser.

mod_s2sout_override: Add support for one-level wildcards (e.g. *.example.net)

mod_s2sout_override: Add support for a catch-all target

mod_invites_page: Produce URL without config from prosodyctl in trunk Requires Prosody trunk rev 5884d58707fa or later.

mod_http_oauth2: Don't use new time period API just yet Mistake in commit splitting, this was meant for later. On the other hand, this is trunk only anyway.

mod_http_oauth2: Clean cache less frequently Seems unlikely that enough unused and expired codes accumulate to warrant an hourly job.

mod_http_oauth2: Shorten default token validity periods With refresh tokens, short lifetime for access tokens is not a problem. The arbitrary choice of one hour seems reasonable. RFC 6749 has it as example value. One week for refresh tokens matching the default archive retention period. This means that a client that remains unused for one week will have to sign in again. An actively used client will continually push that forward with each used refresh token.

mod_http_oauth2: Implement refresh token rotation Makes refresh tokens one-time-use, handing out a new refresh token with each access token. Thus if a refresh token is stolen and used by an attacker, the next time the legitimate client tries to use the previous refresh token, it will not work and the attack will be noticed. If the attacker does not use the refresh token, it becomes invalid after the legitimate client uses it. This behavior is recommended by draft-ietf-oauth-security-topics

mod_http_oauth2: Hint at future deprecation of resource owner password grant It is strongly discouraged by all the modern OAuth 2.0 (and 2.1) documents.

mod_http_oauth2: Allow a shorter form of the device grant in config Long URI is long

mod_http_oauth2: Mention Device flow in list of flows in README

mod_muc_moderation: Stamp XEP-0421 occupant-id for the acting moderator Gives clients some hint about which moderator it was who did the deed. The @by attribute does have the nick of the actor, but they could change their nickname at some point, which is what occupant-id solves. Ref #1816

mod_muc_moderation: Copy XEP-0421 occupant-id from retracted message Lets clients correlate the sender of whatever was retracted by moderators. Behavior limited to Prosody 0.12, otherwise there are no assurances of the origin of the occupant-id tag. Ref #1816

mod_muc_block_pm: Advertise that Moderators are allowed to send PMs But there appears to be no way in XEP-0045 to advertise that Anyone can send PMs *to* Moderators.

mod_muc_block_pm: Allow private messages to yourself No harm in it. Beagle apparently uses it for XEP-0333 in public channels

mod_http_oauth2: Show errors on device flow user code entry page If the user enters the code incorrectly, having to click back to try again is no fun. Instead, show the error and the code entry form again.

mod_http_oauth2: Namespace the various codes to minimize confusion Both for the programmer and in OAuth flows. While unlikely, it should not be possible to cause weirdness e.g. by typing a client id and authorization code into the device code entry.

mod_default_bookmarks: Include 'autojoin' in examples The text does mention this, but who reads that?

mod_http_oauth2: Improve a description in schema

editorconfig: Document established conventions

mod_muc_limits: Drop unsupported Prosody versions from Compatibility table

mod_muc_limits: Set syntax of config snippets to enable syntax highlighting

mod_muc_limits: Reduce cost of multi-line messages, make configurable Typing a 5-line message preceded by a few chat states would have hit the default limit.

mod_client_management: Make ID column dynamically sized Its width can vary more than expected (because it can contain resources)

mod_client_management: Fix traceback if no last seen timestamp available

mod_http_oauth2: Add titles and descriptions to registration schema Since it is exposed publicly, it can serve as documentation.

mod_client_management: Fix missing equality check

mod_client_management: Allow revoking a specific client version Could be useful in case of a security issue affecting a particular version. Even if in that case, the more likely use case is revoking all older versions except the fixed one(s), this can be done with a loop or improved later.

mod_client_management: Add way to revoke (one) client by software This is a bit hacky but it works.

mod_client_management: Add shell command to revoke client access Could be used if an operator detects a compromised client.

mod_client_management: Include software version in table (when known) Showing software versions could be useful for statistical reasons, e.g. determining how quickly (or not) users upgrade, but most importantly for revoking vulnerable clients versions in case of a security issue.

mod_client_management: Include the client id in table in shell command Since this is the identifier used when revoking clients it is useful to show it.

mod_muc_block_pm: Update to 0.12+ API, use roles instead of affiliations The module was possibly broken with 0.12 before. This changes the behavior to allow only messages to or from moderators.

mod_http_muc_log: Fix redirect bug If you somehow went to /muc_log/room/yyyy-mm-dd/something it would send you in a redirect loop that continuously added path components until the path can't be parsed anymore. This should ensure that /muc_log/room/date/ is simply 404'd

mod_http_oauth2: Implement RFC 8628 Device Authorization Grant Meant for devices without easy access to a web browser, such as refrigerators and toasters, which definitely need to be running OAuth-enabled XMPP clients! Could be used for CLI tools that might have trouble running a http server needed for the authorization code flow.

mod_http_oauth2: Mention support for RFC 9207

mod_muc_members_json: Set imported hats to active by default

mod_muc_members_json: New module to import MUC membership from a JSON URL

mod_rest: Use logger of HTTP request in trunk In Prosody trunk rev c975dafa4303 each HTTP request gained its own log sink, to make it easy to log things related to each request and group those messages. Especially where async is used, spreading the request and response apart as mod_rest does with iq stanzas, this grouped logging should help find related messages.

mod_measure_lua: Add brief README

mod_groups_oidc: Add dependency on mod_groups_internal Doesn't make much sense without it, no?

Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)

mod_http_muc_log: Hide joins and parts by default Now both ?p=s(how) and ?p=h(ide) are understood and propagated trough links, with unset being being hide.

mod_http_oauth2: Only add nonce when issuing a client_secret Not as important that the client_id be unique if there's no client_secret since the point was to make each issued client_secret distinct.

mod_pubsub_feeds: Specify acceptable formats in Accept header Don't need to a condition on the etag, if it's nil it's left out.

mod_pubsub_feeds: Pass feed data as argument instead of storing on object Feeds can be quite large, why were we keeping them after parsing???

mod_pubsub_feeds: Retrieve only the most recent item to compare Only need one item id. Fetching all items probably caused memory usage peaks.

mod_pubsub_feeds: Handle node already existing Don't need to create it if it exists

mod_pubsub_feeds: Remove comment, this text is in the README

mod_pubsub_feeds: Remove broken attempt to generate an ID from content This seems to never have worked correctly and now the timestamp is out of scope anyway.

mod_pubsub_feeds: Fix mixup between feed object and parsed feed Did the HMAC thing ever work?

mod_pubsub_feeds: Create pubsub nodes on module load instead of later Should produce faster feedback of things being wrong.

mod_pubsub_feeds: Track latest timestamp seen in feeds instead of last poll This should ensure that an entry that has a publish timestmap after the previously oldest post, but before the time of the last poll check, is published to the node. Previously if an entry would be skipped if it was published at 13:00 with a timestamp of 12:30, where the last poll was at 12:45. For feeds that lack a timestamp, it now looks for the first post that is not published, assuming that the feed is in reverse chronological order, then iterates back up from there.

mod_pubsub_feeds: Add new interval setting in seconds (old still works) To match most other such settings.

mod_pubsub_feeds: Disable WebSub (formerly PubSubHubbub) by default I have seen no recent evidence of this being used or supported by anything anywhere anymore.

mod_http_oauth2: Always show list of requested scopes Upon further reflection, these are probably too important to hide behind a <details> thing.

mod_muc_limits: Add a limit on number of bytes in a message body

mod_muc_limits: Add a limit on number of lines per message More vertical space -> more cost

mod_muc_limits: Normalise README markdown syntax (thanks pandoc)

mod_muc_limits: Raise cost for multi-line messages

Back out 22784f001b7f: Documentation change did not match code (thanks bronko)

mod_http_oauth2: Rearrange description of redirect URIs requirements So that they're in one place only instead of sorta twice.

mod_http_oauth2: Add a more complete client registration example More fields from RFC 7591. We should probably mention and recommend more of them, especially the ones that are recorded in grants.

mod_http_oauth2: Strip JWKS metadata since we do not understand that Maybe one day whatever this is will be understood, but not this day!

mod_http_oauth2: Strip unknown client metadata Per RFC 7591 > The authorization server MUST ignore any client metadata sent by the > client that it does not understand (for instance, by silently removing > unknown metadata from the client's registration record during > processing). This was previously done but unintentionally removed in 90449babaa48

mod_rest: Map the archive-id attribute in MAM result items I was wondering why this wasn't in the JSON output

mod_rest: Include full_jid property on origin Fixes permission check in disco#info query to your own account, where the 'to' would have been stripped since it equals the account JID, leaving mod_disco passing nil, which triggers an error in module:may()

mod_oidc_userinfo_vcard4: Remove unused import

mod_oidc_userinfo_vcard4: Fix typo

mod_http_oauth2: Make allowed locales configurable Explicit > Implicit Instead of allowing anything after #, allow only the explicitly configured locales to be used. Default to empty list because using these is not supported yet. This potentially limits the size of the client_id, which is already quite large. Nothing prevents clients from registering a whole client_id per locale, which would not require translation support on this side.

mod_http_oauth2: Improve error messages for URI properties Since there are separate validation checks for URI properties, including that they should use https, with better and more specific error reporting. Reverts 'luaPattern' to 'pattern' which is not currently supported by util.jsonschema, but allows anything that retrieves the schema over http to validate against it, should they wish to do so.

mod_rest: Describe the error 'by' property in OpenAPI spec

mod_rest: List all error conditions in OpenAPI spec These are not handled by datamanager but by util.stanza and util.error, so they are not represented in the JSON schema file.