mod_storage_appendmap: Implement item/user iteration methods

mod_http_health: Copypaste IP access control code

mod_dnsupdate: Support advertising explicit non-existence of service

mod_http_admin_api: Support for adding/removing group MUCs

mod_groups_muc_bookmarks: Update bookmarks when a group MUC is added/removed

mod_groups_internal: Update to support multiple MUCs per group This was a feature request for Snikket.

mod_storage_ejabberdsql_readonly: Don't use MySQL-specific syntax util.sql should take care of transformation when MySQL is in use.

mod_client_management: Bail out retrieving tokens for user Fixes core/usermanager.lua:118: attempt to index a nil value (field '?')

mod_http_oauth2: Limit revocation to clients own tokens in strict mode RFC 7009 section 2.1 states: > The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token was > issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed of > the error by the authorization server as described below. The first part was already covered (in strict mode). This adds the later part using the hash of client_id recorded in 0860497152af It still seems weird to me that revoking a leaked token should not be allowed whoever might have discovered it, as that seems the responsible thing to do.

mod_http_oauth2: Restrict introspection to clients own tokens The introspection code was added before the client hash was added in 0860497152af which allows connecting tokens to clients.

mod_http_oauth2: Implement introspection endpoint "Tell me about this token"

mod_http_status: Add IP allowlisting capabilities Based on mod_http_openmetrics

mod_rest: Limit payload size (cf stanza size limits) Otherwise the limit would be defined by the HTTP stack.

mod_storage_s3: Add brief README

mod_storage_s3: Treat 404 to GET as a signal for empty data

mod_storage_s3: Use '@' as placeholder for empty (host) store slots Used when the server stores things for itself.

mod_storage_s3: Handle archive query without parameters

mod_storage_s3: Implement Archive storage

mod_storage_s3: Implement iteration of keyvalue keys (users usually)

mod_storage_s3: Implement keyvalue deletion

mod_storage_s3: Handle signing of request ?query part

mod_storage_s3: Beginnings of an experimental S3 storage driver Tested against MinIO

mod_measure_modules: Report module statuses via OpenMetrics Someone in the chat asked about a health check endpoint, which reminded me of mod_http_status, which provides access to module statuses with full details. After that, this idea came about, which seems natural. As noted in the README, it could be used to monitor that critical modules are in fact loaded correctly. As more modules use the status API, the more useful this module and mod_http_status becomes.

mod_http_health: Provide a health check HTTP endpoint Someone in the chat asked about a health check endpoint, which reminded me of mod_http_status, which was simplified to produce this module.

mod_rest/rest.sh: Restore default read-only behavior and the -rw flag

mod_http_oauth2: Include 'amr' claim in ID Token This essentially just says "password authentication was used". This field could later be used to indicate whether e.g. MFA was used.

mod_push2: restore offline message hook Filtering is mostly handled in handle_notify_request now

mod_push2: Need to include the public key with the JWT

mod_push2: Add note about luaossl patch

mod_push2: Fix unbalanced quote in readme

mod_push2: Add back body truncation logic

Initial work on Push 2.0

mod_muc_adhoc_bots: Fix unbalanced quote in metadata section

mod_muc_members_json: Fix potential error when removing old affiliations Found this uncommitted change on a production server... The affiliation data may been `nil` at some point, triggering an error?

mod_http_muc_log: Correctly handle changed or retracted reactions Since per XEP-0444 each reaction should overwrite all previous reactions on a particular message from a particular occupant. Previously repeated reactions would be counted again and retractions were not handled.

mod_muc_members_json: Demonstrate support for more than one JID per list

mod_muc_members_json: Fix invalid JSON in README

Merge

mod_muc_adhoc_bots: add module

mod_pubsub_subscription: support subscribing from a bare JID Allow subscribing from a bare JID on the component instead of only the component host, useful for subscribing to whitelist access model nodes that want to see a particular JID in the from.

merge

mod_muc_restrict_avatars: Block MUC participant avatars for non-members

misc/mtail: Start of an mtail config Stashing it here in case anyone wants to continue working on it. Currently it's only counting log messages by level. Due to the permissions set by systemd on Prosody logs, mtail never managed to start correctly until permissions were manually relaxed.

mod_muc_moderation: Mention that it works with mod_storage_xmlarchive (thanks Menel)

mod_http_oauth2: Apply refresh token ttl to refresh token instead of grant The intent in 59d5fc50f602 was for refresh tokens to extend the lifetime of the grant, but the refresh token ttl was applied to the grant and mod_tokenauth does not change it, leading to the grant expiring regardless of refresh token usage. This makes grant lifetimes unlimited, which seems to be standard practice in the wild.

mod_client_management: Show grant expiry in shell command I want to know when my OAuth2 grant expires and that it really is extended by refreshing.

mod_http_oauth2: Tweak wording in README to point out that this is an AS

mod_http_oauth2: Allow 'login_hint' as a substitute for OIDC 'select_account' prompt If the OIDC 'prompt' parameter does not contain the 'select_account' then it wants us to skip account selection, which means we have to figure which account to authenticate somehow. One way could be have this stored in a cookie from a previous successful login. Another way would be to have the account passed as a hint, which is what we add here.

mod_http_oauth2: Remove broken in-CSS templating Because util.interpolation with a "%b{}" pattern only matches the outer brackets, so variables inside them would not work unless the pattern is changed (also considered).

mod_bidi: Really extra finally fix auto-linking to mod_s2s_bidi

mod_bidi: Fix README again

mod_bidi: Fix autolink syntax Thanks pandoc ... not

mod_bidi: Add warning about use with 0.12

mod_rest/rest.sh: Silence shellcheck SC1091 Stops it from trying and failing to read the config file, since the path uses variables.

mod_rest/rest.sh: Update to use httpie-oauth2 plugin This bash implementation of OAuth2/OIDC was growing to the point where it needed a massive refactor, which made me look into alternatives where I finally settled on implementing oauth2 in a plugin for HTTPie.

mod_http_oauth2: Specify language in templates Might be used as hint to translation systems. Maybe one day we'll have i18n built in, but this is not that day!

mod_http_oauth2: Remove duplicated word in README introduced in 734788d8bfc3

mod_http_oauth2: Allow omitting application type for native apps This derives "application_type":"native" from the first redirect URI when registering a client, so that it can be omitted without the default value of "web" causing the very same redirect URIs to be rejected.

mod_client_management: Show timestamp of first client appearance

mod_http_oauth2: Improve templates XML-ness by avoiding value-less attributes or whatever they're called Plus some Aria label tweaks