mod_http_oauth2: Allow omitting application type for native apps This derives "application_type":"native" from the first redirect URI when registering a client, so that it can be omitted without the default value of "web" causing the very same redirect URIs to be rejected.

mod_client_management: Show timestamp of first client appearance

mod_http_oauth2: Improve templates XML-ness by avoiding value-less attributes or whatever they're called Plus some Aria label tweaks

mod_http_oauth2: Add autocomplete hint to username field

mod_http_oauth2: Make storage of various code more consistent I'm not sure how any of this worked at all.

mod_http_oauth2: Bail on invalid or expired device flow state token

mod_http_oauth2: Tweak method of centering the UI The percentage here was relative to the viewport width, which on some very wide screens may put the UI slightly outside of the view, requiring scrolling to see. By using a unit relative to the height of the viewport, this is avoided and should work better. But no guarantees, it's still possible to resize the browser or adjust font sizes so that the UI goes out of view.

mod_http_oauth2: Optionally enforce authentication on revocation endpoint But why do OAuth require this? If a token leaks, why couldn't anyone revoke it?

mod_http_oauth2: Present errors in HTML <dialog> Nice semantic things that don't require JavaScript

mod_http_oauth2: Move site name into <header> Because it's the site header

mod_http_oauth2: Conform to XHTML in templates Mostly because pedantic. Seems appropriate. Nice to be able to use an XML parser.

mod_s2sout_override: Add support for one-level wildcards (e.g. *.example.net)

mod_s2sout_override: Add support for a catch-all target

mod_invites_page: Produce URL without config from prosodyctl in trunk Requires Prosody trunk rev 5884d58707fa or later.

mod_http_oauth2: Don't use new time period API just yet Mistake in commit splitting, this was meant for later. On the other hand, this is trunk only anyway.

mod_http_oauth2: Clean cache less frequently Seems unlikely that enough unused and expired codes accumulate to warrant an hourly job.

mod_http_oauth2: Shorten default token validity periods With refresh tokens, short lifetime for access tokens is not a problem. The arbitrary choice of one hour seems reasonable. RFC 6749 has it as example value. One week for refresh tokens matching the default archive retention period. This means that a client that remains unused for one week will have to sign in again. An actively used client will continually push that forward with each used refresh token.

mod_http_oauth2: Implement refresh token rotation Makes refresh tokens one-time-use, handing out a new refresh token with each access token. Thus if a refresh token is stolen and used by an attacker, the next time the legitimate client tries to use the previous refresh token, it will not work and the attack will be noticed. If the attacker does not use the refresh token, it becomes invalid after the legitimate client uses it. This behavior is recommended by draft-ietf-oauth-security-topics

mod_http_oauth2: Hint at future deprecation of resource owner password grant It is strongly discouraged by all the modern OAuth 2.0 (and 2.1) documents.

mod_http_oauth2: Allow a shorter form of the device grant in config Long URI is long

mod_http_oauth2: Mention Device flow in list of flows in README

mod_muc_moderation: Stamp XEP-0421 occupant-id for the acting moderator Gives clients some hint about which moderator it was who did the deed. The @by attribute does have the nick of the actor, but they could change their nickname at some point, which is what occupant-id solves. Ref #1816

mod_muc_moderation: Copy XEP-0421 occupant-id from retracted message Lets clients correlate the sender of whatever was retracted by moderators. Behavior limited to Prosody 0.12, otherwise there are no assurances of the origin of the occupant-id tag. Ref #1816

mod_muc_block_pm: Advertise that Moderators are allowed to send PMs But there appears to be no way in XEP-0045 to advertise that Anyone can send PMs *to* Moderators.

mod_muc_block_pm: Allow private messages to yourself No harm in it. Beagle apparently uses it for XEP-0333 in public channels

mod_http_oauth2: Show errors on device flow user code entry page If the user enters the code incorrectly, having to click back to try again is no fun. Instead, show the error and the code entry form again.

mod_http_oauth2: Namespace the various codes to minimize confusion Both for the programmer and in OAuth flows. While unlikely, it should not be possible to cause weirdness e.g. by typing a client id and authorization code into the device code entry.

mod_default_bookmarks: Include 'autojoin' in examples The text does mention this, but who reads that?

mod_http_oauth2: Improve a description in schema

editorconfig: Document established conventions