mod_pubsub_feeds: Add new interval setting in seconds (old still works) To match most other such settings.

mod_pubsub_feeds: Disable WebSub (formerly PubSubHubbub) by default I have seen no recent evidence of this being used or supported by anything anywhere anymore.

mod_http_oauth2: Always show list of requested scopes Upon further reflection, these are probably too important to hide behind a <details> thing.

mod_muc_limits: Add a limit on number of bytes in a message body

mod_muc_limits: Add a limit on number of lines per message More vertical space -> more cost

mod_muc_limits: Normalise README markdown syntax (thanks pandoc)

mod_muc_limits: Raise cost for multi-line messages

Back out 22784f001b7f: Documentation change did not match code (thanks bronko)

mod_http_oauth2: Rearrange description of redirect URIs requirements So that they're in one place only instead of sorta twice.

mod_http_oauth2: Add a more complete client registration example More fields from RFC 7591. We should probably mention and recommend more of them, especially the ones that are recorded in grants.

mod_http_oauth2: Strip JWKS metadata since we do not understand that Maybe one day whatever this is will be understood, but not this day!

mod_http_oauth2: Strip unknown client metadata Per RFC 7591 > The authorization server MUST ignore any client metadata sent by the > client that it does not understand (for instance, by silently removing > unknown metadata from the client's registration record during > processing). This was previously done but unintentionally removed in 90449babaa48

mod_rest: Map the archive-id attribute in MAM result items I was wondering why this wasn't in the JSON output

mod_rest: Include full_jid property on origin Fixes permission check in disco#info query to your own account, where the 'to' would have been stripped since it equals the account JID, leaving mod_disco passing nil, which triggers an error in module:may()

mod_oidc_userinfo_vcard4: Remove unused import

mod_oidc_userinfo_vcard4: Fix typo

mod_http_oauth2: Make allowed locales configurable Explicit > Implicit Instead of allowing anything after #, allow only the explicitly configured locales to be used. Default to empty list because using these is not supported yet. This potentially limits the size of the client_id, which is already quite large. Nothing prevents clients from registering a whole client_id per locale, which would not require translation support on this side.

mod_http_oauth2: Improve error messages for URI properties Since there are separate validation checks for URI properties, including that they should use https, with better and more specific error reporting. Reverts 'luaPattern' to 'pattern' which is not currently supported by util.jsonschema, but allows anything that retrieves the schema over http to validate against it, should they wish to do so.

mod_rest: Describe the error 'by' property in OpenAPI spec

mod_rest: List all error conditions in OpenAPI spec These are not handled by datamanager but by util.stanza and util.error, so they are not represented in the JSON schema file.

mod_http_oauth2: Make note about handling repeated RFC 6749 states > If an authorization code is used more than once, the authorization > server MUST deny the request and SHOULD revoke (when possible) all > tokens previously issued based on that authorization code. We should follow the SHOULD. The MUST is already covered by removing the code state from the cache.

mod_http_oauth2: Add TODO about disabling password grant Per recommendation in draft-ietf-oauth-security-topics-23 it should at the very least be disabled by default. However since this is used by the Snikket web portal some care needs to be taken not to break this, unless it's already broken by other changes to this module.

mod_http_oauth2: Disable CORS for authorization endpoint Per recommendation in draft-ietf-oauth-security-topics-23 Hopefully it is enough to return an error status, since mod_http will add CORS headers from a handler with higher priority, even for OPTIONS.

mod_http_oauth2: Make CSP configurable E.g. to enable forbidding all scripts if you don't use any scripts, or allow scripts from your separate static content domain, etc.

mod_http_oauth2: Link to RFC 7628 in README Links are good.

mod_http_oauth2: Use code spans for some config options in README To make them more recognisable as code things.

mod_http_oauth2: Remove underscore prefix LuaCheck considers this to mean that a variable it unused, but this one is not.

mod_cloud_notify_extensions: Fix Markdown syntax of Compatibility table

mod_firewall: Add console commands to mark/unmark users

mod_firewall: Load marks from storage on demand rather than at login This ensures people who don't use marks, or use them infrequently, don't pay a perf cost on every resource bind.