Kim Alvefur <zash@zash.se> [Wed, 26 Jul 2023 16:23:13 +0200] rev 5624
mod_invites_page: Produce URL without config from prosodyctl in trunk
Requires Prosody trunk rev 5884d58707fa or later.
Kim Alvefur <zash@zash.se> [Tue, 25 Jul 2023 11:01:58 +0200] rev 5623
mod_http_oauth2: Don't use new time period API just yet
Mistake in commit splitting, this was meant for later.
On the other hand, this is trunk only anyway.
Kim Alvefur <zash@zash.se> [Mon, 24 Jul 2023 01:26:41 +0200] rev 5622
mod_http_oauth2: Clean cache less frequently
Seems unlikely that enough unused and expired codes accumulate to
warrant an hourly job.
Kim Alvefur <zash@zash.se> [Mon, 24 Jul 2023 01:30:14 +0200] rev 5621
mod_http_oauth2: Shorten default token validity periods
With refresh tokens, short lifetime for access tokens is not a problem.
The arbitrary choice of one hour seems reasonable. RFC 6749 has it as
example value.
One week for refresh tokens matching the default archive retention
period. This means that a client that remains unused for one week will
have to sign in again. An actively used client will continually push
that forward with each used refresh token.
Kim Alvefur <zash@zash.se> [Sun, 23 Jul 2023 02:56:08 +0200] rev 5620
mod_http_oauth2: Implement refresh token rotation
Makes refresh tokens one-time-use, handing out a new refresh token with
each access token. Thus if a refresh token is stolen and used by an
attacker, the next time the legitimate client tries to use the previous
refresh token, it will not work and the attack will be noticed. If the
attacker does not use the refresh token, it becomes invalid after the
legitimate client uses it.
This behavior is recommended by draft-ietf-oauth-security-topics
Kim Alvefur <zash@zash.se> [Fri, 21 Jul 2023 00:38:04 +0200] rev 5619
mod_http_oauth2: Hint at future deprecation of resource owner password grant
It is strongly discouraged by all the modern OAuth 2.0 (and 2.1) documents.
Kim Alvefur <zash@zash.se> [Fri, 21 Jul 2023 00:37:34 +0200] rev 5618
mod_http_oauth2: Allow a shorter form of the device grant in config
Long URI is long
Kim Alvefur <zash@zash.se> [Fri, 21 Jul 2023 00:29:24 +0200] rev 5617
mod_http_oauth2: Mention Device flow in list of flows in README
Kim Alvefur <zash@zash.se> [Thu, 20 Jul 2023 10:38:33 +0200] rev 5616
mod_muc_moderation: Stamp XEP-0421 occupant-id for the acting moderator
Gives clients some hint about which moderator it was who did the deed.
The @by attribute does have the nick of the actor, but they could change
their nickname at some point, which is what occupant-id solves.
Ref #1816
Kim Alvefur <zash@zash.se> [Thu, 20 Jul 2023 10:37:27 +0200] rev 5615
mod_muc_moderation: Copy XEP-0421 occupant-id from retracted message
Lets clients correlate the sender of whatever was retracted by
moderators. Behavior limited to Prosody 0.12, otherwise there are no
assurances of the origin of the occupant-id tag.
Ref #1816
Kim Alvefur <zash@zash.se> [Wed, 19 Jul 2023 17:01:40 +0200] rev 5614
mod_muc_block_pm: Advertise that Moderators are allowed to send PMs
But there appears to be no way in XEP-0045 to advertise that Anyone can
send PMs *to* Moderators.
Kim Alvefur <zash@zash.se> [Wed, 19 Jul 2023 16:59:16 +0200] rev 5613
mod_muc_block_pm: Allow private messages to yourself
No harm in it.
Beagle apparently uses it for XEP-0333 in public channels
Kim Alvefur <zash@zash.se> [Wed, 19 Jul 2023 13:05:47 +0200] rev 5612
mod_http_oauth2: Show errors on device flow user code entry page
If the user enters the code incorrectly, having to click back to try
again is no fun. Instead, show the error and the code entry form again.
Kim Alvefur <zash@zash.se> [Wed, 19 Jul 2023 12:58:04 +0200] rev 5611
mod_http_oauth2: Namespace the various codes to minimize confusion
Both for the programmer and in OAuth flows.
While unlikely, it should not be possible to cause weirdness e.g. by
typing a client id and authorization code into the device code entry.
Kim Alvefur <zash@zash.se> [Mon, 17 Jul 2023 16:40:45 +0200] rev 5610
mod_default_bookmarks: Include 'autojoin' in examples
The text does mention this, but who reads that?
Kim Alvefur <zash@zash.se> [Sat, 15 Jul 2023 12:27:24 +0200] rev 5609
mod_http_oauth2: Improve a description in schema
Kim Alvefur <zash@zash.se> [Sat, 15 Jul 2023 10:45:26 +0200] rev 5608
editorconfig: Document established conventions
Kim Alvefur <zash@zash.se> [Sat, 15 Jul 2023 09:16:19 +0200] rev 5607
mod_muc_limits: Drop unsupported Prosody versions from Compatibility table
Kim Alvefur <zash@zash.se> [Sat, 15 Jul 2023 09:14:57 +0200] rev 5606
mod_muc_limits: Set syntax of config snippets to enable syntax highlighting
Kim Alvefur <zash@zash.se> [Sat, 15 Jul 2023 09:09:41 +0200] rev 5605
mod_muc_limits: Reduce cost of multi-line messages, make configurable
Typing a 5-line message preceded by a few chat states would have hit the
default limit.
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 16:20:54 +0200] rev 5604
mod_client_management: Make ID column dynamically sized
Its width can vary more than expected (because it can contain resources)
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 16:09:43 +0200] rev 5603
mod_client_management: Fix traceback if no last seen timestamp available
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 16:04:11 +0200] rev 5602
mod_http_oauth2: Add titles and descriptions to registration schema
Since it is exposed publicly, it can serve as documentation.
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 15:44:55 +0200] rev 5601
mod_client_management: Fix missing equality check
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 15:16:06 +0200] rev 5600
mod_client_management: Allow revoking a specific client version
Could be useful in case of a security issue affecting a particular
version. Even if in that case, the more likely use case is revoking all
older versions except the fixed one(s), this can be done with a loop or
improved later.
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 15:01:56 +0200] rev 5599
mod_client_management: Add way to revoke (one) client by software
This is a bit hacky but it works.
Kim Alvefur <zash@zash.se> [Fri, 14 Jul 2023 13:25:30 +0200] rev 5598
mod_client_management: Add shell command to revoke client access
Could be used if an operator detects a compromised client.
Kim Alvefur <zash@zash.se> [Thu, 13 Jul 2023 23:26:02 +0200] rev 5597
mod_client_management: Include software version in table (when known)
Showing software versions could be useful for statistical reasons, e.g.
determining how quickly (or not) users upgrade, but most importantly for
revoking vulnerable clients versions in case of a security issue.
Kim Alvefur <zash@zash.se> [Thu, 13 Jul 2023 23:24:23 +0200] rev 5596
mod_client_management: Include the client id in table in shell command
Since this is the identifier used when revoking clients it is useful to
show it.
Kim Alvefur <zash@zash.se> [Wed, 12 Jul 2023 15:47:20 +0200] rev 5595
mod_muc_block_pm: Update to 0.12+ API, use roles instead of affiliations
The module was possibly broken with 0.12 before.
This changes the behavior to allow only messages to or from moderators.