Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:24:12 +0200] rev 5574
mod_pubsub_feeds: Add new interval setting in seconds (old still works)
To match most other such settings.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:20:57 +0200] rev 5573
mod_pubsub_feeds: Disable WebSub (formerly PubSubHubbub) by default
I have seen no recent evidence of this being used or supported by
anything anywhere anymore.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 11:12:07 +0200] rev 5572
mod_http_oauth2: Always show list of requested scopes
Upon further reflection, these are probably too important to hide behind
a <details> thing.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 00:00:02 +0200] rev 5571
mod_muc_limits: Add a limit on number of bytes in a message body
Kim Alvefur <zash@zash.se> [Sat, 24 Jun 2023 23:56:13 +0200] rev 5570
mod_muc_limits: Add a limit on number of lines per message
More vertical space -> more cost
Kim Alvefur <zash@zash.se> [Sat, 24 Jun 2023 23:53:48 +0200] rev 5569
mod_muc_limits: Normalise README markdown syntax (thanks pandoc)
Kim Alvefur <zash@zash.se> [Sat, 24 Jun 2023 23:51:31 +0200] rev 5568
mod_muc_limits: Raise cost for multi-line messages
Kim Alvefur <zash@zash.se> [Thu, 22 Jun 2023 22:00:51 +0200] rev 5567
Back out 22784f001b7f: Documentation change did not match code (thanks bronko)
Kim Alvefur <zash@zash.se> [Thu, 22 Jun 2023 21:59:49 +0200] rev 5566
mod_http_oauth2: Rearrange description of redirect URIs requirements
So that they're in one place only instead of sorta twice.
Kim Alvefur <zash@zash.se> [Thu, 22 Jun 2023 09:18:32 +0200] rev 5565
mod_http_oauth2: Add a more complete client registration example
More fields from RFC 7591. We should probably mention and recommend more
of them, especially the ones that are recorded in grants.
Kim Alvefur <zash@zash.se> [Tue, 20 Jun 2023 01:13:51 +0200] rev 5564
mod_http_oauth2: Strip JWKS metadata since we do not understand that
Maybe one day whatever this is will be understood, but not this day!
Kim Alvefur <zash@zash.se> [Tue, 20 Jun 2023 01:11:34 +0200] rev 5563
mod_http_oauth2: Strip unknown client metadata
Per RFC 7591
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
This was previously done but unintentionally removed in 90449babaa48
Kim Alvefur <zash@zash.se> [Mon, 19 Jun 2023 01:26:56 +0200] rev 5562
mod_rest: Map the archive-id attribute in MAM result items
I was wondering why this wasn't in the JSON output
Kim Alvefur <zash@zash.se> [Sun, 18 Jun 2023 22:23:24 +0200] rev 5561
mod_rest: Include full_jid property on origin
Fixes permission check in disco#info query to your own account, where
the 'to' would have been stripped since it equals the account JID,
leaving mod_disco passing nil, which triggers an error in module:may()
Kim Alvefur <zash@zash.se> [Sun, 18 Jun 2023 15:28:23 +0200] rev 5560
mod_oidc_userinfo_vcard4: Remove unused import
Kim Alvefur <zash@zash.se> [Sun, 18 Jun 2023 15:28:13 +0200] rev 5559
mod_oidc_userinfo_vcard4: Fix typo
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 19:03:32 +0200] rev 5558
mod_http_oauth2: Make allowed locales configurable
Explicit > Implicit
Instead of allowing anything after #, allow only the explicitly
configured locales to be used.
Default to empty list because using these is not supported yet.
This potentially limits the size of the client_id, which is already
quite large. Nothing prevents clients from registering a whole
client_id per locale, which would not require translation support on
this side.
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 18:15:00 +0200] rev 5557
mod_http_oauth2: Improve error messages for URI properties
Since there are separate validation checks for URI properties, including
that they should use https, with better and more specific error reporting.
Reverts 'luaPattern' to 'pattern' which is not currently supported by
util.jsonschema, but allows anything that retrieves the schema over http
to validate against it, should they wish to do so.
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 16:28:13 +0200] rev 5556
mod_rest: Describe the error 'by' property in OpenAPI spec
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 16:26:33 +0200] rev 5555
mod_rest: List all error conditions in OpenAPI spec
These are not handled by datamanager but by util.stanza and util.error,
so they are not represented in the JSON schema file.
Kim Alvefur <zash@zash.se> [Fri, 16 Jun 2023 00:10:46 +0200] rev 5554
mod_http_oauth2: Make note about handling repeated
RFC 6749 states
> If an authorization code is used more than once, the authorization
> server MUST deny the request and SHOULD revoke (when possible) all
> tokens previously issued based on that authorization code.
We should follow the SHOULD.
The MUST is already covered by removing the code state from the cache.
Kim Alvefur <zash@zash.se> [Fri, 16 Jun 2023 00:06:53 +0200] rev 5553
mod_http_oauth2: Add TODO about disabling password grant
Per recommendation in draft-ietf-oauth-security-topics-23 it should at
the very least be disabled by default.
However since this is used by the Snikket web portal some care needs to
be taken not to break this, unless it's already broken by other changes
to this module.
Kim Alvefur <zash@zash.se> [Fri, 16 Jun 2023 00:05:57 +0200] rev 5552
mod_http_oauth2: Disable CORS for authorization endpoint
Per recommendation in draft-ietf-oauth-security-topics-23
Hopefully it is enough to return an error status, since mod_http will
add CORS headers from a handler with higher priority, even for OPTIONS.
Kim Alvefur <zash@zash.se> [Sun, 11 Jun 2023 14:06:28 +0200] rev 5551
mod_http_oauth2: Make CSP configurable
E.g. to enable forbidding all scripts if you don't use any scripts, or
allow scripts from your separate static content domain, etc.
Kim Alvefur <zash@zash.se> [Sun, 11 Jun 2023 14:03:27 +0200] rev 5550
mod_http_oauth2: Link to RFC 7628 in README
Links are good.
Kim Alvefur <zash@zash.se> [Sun, 11 Jun 2023 14:02:47 +0200] rev 5549
mod_http_oauth2: Use code spans for some config options in README
To make them more recognisable as code things.
Kim Alvefur <zash@zash.se> [Sat, 10 Jun 2023 12:04:00 +0200] rev 5548
mod_http_oauth2: Remove underscore prefix
LuaCheck considers this to mean that a variable it unused, but this one
is not.
Kim Alvefur <zash@zash.se> [Fri, 09 Jun 2023 18:07:15 +0200] rev 5547
mod_cloud_notify_extensions: Fix Markdown syntax of Compatibility table
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 19:47:35 +0100] rev 5546
mod_firewall: Add console commands to mark/unmark users
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 19:19:46 +0100] rev 5545
mod_firewall: Load marks from storage on demand rather than at login
This ensures people who don't use marks, or use them infrequently, don't pay
a perf cost on every resource bind.