Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:24:12 +0200] rev 5574
mod_pubsub_feeds: Add new interval setting in seconds (old still works)
To match most other such settings.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 16:20:57 +0200] rev 5573
mod_pubsub_feeds: Disable WebSub (formerly PubSubHubbub) by default
I have seen no recent evidence of this being used or supported by
anything anywhere anymore.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 11:12:07 +0200] rev 5572
mod_http_oauth2: Always show list of requested scopes
Upon further reflection, these are probably too important to hide behind
a <details> thing.
Kim Alvefur <zash@zash.se> [Sun, 25 Jun 2023 00:00:02 +0200] rev 5571
mod_muc_limits: Add a limit on number of bytes in a message body
Kim Alvefur <zash@zash.se> [Sat, 24 Jun 2023 23:56:13 +0200] rev 5570
mod_muc_limits: Add a limit on number of lines per message
More vertical space -> more cost
Kim Alvefur <zash@zash.se> [Sat, 24 Jun 2023 23:53:48 +0200] rev 5569
mod_muc_limits: Normalise README markdown syntax (thanks pandoc)
Kim Alvefur <zash@zash.se> [Sat, 24 Jun 2023 23:51:31 +0200] rev 5568
mod_muc_limits: Raise cost for multi-line messages
Kim Alvefur <zash@zash.se> [Thu, 22 Jun 2023 22:00:51 +0200] rev 5567
Back out 22784f001b7f: Documentation change did not match code (thanks bronko)
Kim Alvefur <zash@zash.se> [Thu, 22 Jun 2023 21:59:49 +0200] rev 5566
mod_http_oauth2: Rearrange description of redirect URIs requirements
So that they're in one place only instead of sorta twice.
Kim Alvefur <zash@zash.se> [Thu, 22 Jun 2023 09:18:32 +0200] rev 5565
mod_http_oauth2: Add a more complete client registration example
More fields from RFC 7591. We should probably mention and recommend more
of them, especially the ones that are recorded in grants.
Kim Alvefur <zash@zash.se> [Tue, 20 Jun 2023 01:13:51 +0200] rev 5564
mod_http_oauth2: Strip JWKS metadata since we do not understand that
Maybe one day whatever this is will be understood, but not this day!
Kim Alvefur <zash@zash.se> [Tue, 20 Jun 2023 01:11:34 +0200] rev 5563
mod_http_oauth2: Strip unknown client metadata
Per RFC 7591
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
This was previously done but unintentionally removed in 90449babaa48
Kim Alvefur <zash@zash.se> [Mon, 19 Jun 2023 01:26:56 +0200] rev 5562
mod_rest: Map the archive-id attribute in MAM result items
I was wondering why this wasn't in the JSON output
Kim Alvefur <zash@zash.se> [Sun, 18 Jun 2023 22:23:24 +0200] rev 5561
mod_rest: Include full_jid property on origin
Fixes permission check in disco#info query to your own account, where
the 'to' would have been stripped since it equals the account JID,
leaving mod_disco passing nil, which triggers an error in module:may()
Kim Alvefur <zash@zash.se> [Sun, 18 Jun 2023 15:28:23 +0200] rev 5560
mod_oidc_userinfo_vcard4: Remove unused import
Kim Alvefur <zash@zash.se> [Sun, 18 Jun 2023 15:28:13 +0200] rev 5559
mod_oidc_userinfo_vcard4: Fix typo
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 19:03:32 +0200] rev 5558
mod_http_oauth2: Make allowed locales configurable
Explicit > Implicit
Instead of allowing anything after #, allow only the explicitly
configured locales to be used.
Default to empty list because using these is not supported yet.
This potentially limits the size of the client_id, which is already
quite large. Nothing prevents clients from registering a whole
client_id per locale, which would not require translation support on
this side.
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 18:15:00 +0200] rev 5557
mod_http_oauth2: Improve error messages for URI properties
Since there are separate validation checks for URI properties, including
that they should use https, with better and more specific error reporting.
Reverts 'luaPattern' to 'pattern' which is not currently supported by
util.jsonschema, but allows anything that retrieves the schema over http
to validate against it, should they wish to do so.
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 16:28:13 +0200] rev 5556
mod_rest: Describe the error 'by' property in OpenAPI spec
Kim Alvefur <zash@zash.se> [Sat, 17 Jun 2023 16:26:33 +0200] rev 5555
mod_rest: List all error conditions in OpenAPI spec
These are not handled by datamanager but by util.stanza and util.error,
so they are not represented in the JSON schema file.
Kim Alvefur <zash@zash.se> [Fri, 16 Jun 2023 00:10:46 +0200] rev 5554
mod_http_oauth2: Make note about handling repeated
RFC 6749 states
> If an authorization code is used more than once, the authorization
> server MUST deny the request and SHOULD revoke (when possible) all
> tokens previously issued based on that authorization code.
We should follow the SHOULD.
The MUST is already covered by removing the code state from the cache.
Kim Alvefur <zash@zash.se> [Fri, 16 Jun 2023 00:06:53 +0200] rev 5553
mod_http_oauth2: Add TODO about disabling password grant
Per recommendation in draft-ietf-oauth-security-topics-23 it should at
the very least be disabled by default.
However since this is used by the Snikket web portal some care needs to
be taken not to break this, unless it's already broken by other changes
to this module.
Kim Alvefur <zash@zash.se> [Fri, 16 Jun 2023 00:05:57 +0200] rev 5552
mod_http_oauth2: Disable CORS for authorization endpoint
Per recommendation in draft-ietf-oauth-security-topics-23
Hopefully it is enough to return an error status, since mod_http will
add CORS headers from a handler with higher priority, even for OPTIONS.
Kim Alvefur <zash@zash.se> [Sun, 11 Jun 2023 14:06:28 +0200] rev 5551
mod_http_oauth2: Make CSP configurable
E.g. to enable forbidding all scripts if you don't use any scripts, or
allow scripts from your separate static content domain, etc.
Kim Alvefur <zash@zash.se> [Sun, 11 Jun 2023 14:03:27 +0200] rev 5550
mod_http_oauth2: Link to RFC 7628 in README
Links are good.
Kim Alvefur <zash@zash.se> [Sun, 11 Jun 2023 14:02:47 +0200] rev 5549
mod_http_oauth2: Use code spans for some config options in README
To make them more recognisable as code things.
Kim Alvefur <zash@zash.se> [Sat, 10 Jun 2023 12:04:00 +0200] rev 5548
mod_http_oauth2: Remove underscore prefix
LuaCheck considers this to mean that a variable it unused, but this one
is not.
Kim Alvefur <zash@zash.se> [Fri, 09 Jun 2023 18:07:15 +0200] rev 5547
mod_cloud_notify_extensions: Fix Markdown syntax of Compatibility table
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 19:47:35 +0100] rev 5546
mod_firewall: Add console commands to mark/unmark users
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 19:19:46 +0100] rev 5545
mod_firewall: Load marks from storage on demand rather than at login
This ensures people who don't use marks, or use them infrequently, don't pay
a perf cost on every resource bind.
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 19:15:12 +0100] rev 5544
mod_firewall: Log warning when attempting to mark/unmark remote users
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 17:00:04 +0100] rev 5543
mod_firewall: enable marks by default
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 16:59:22 +0100] rev 5542
mod_firewall: Improve error when mark name contains invalid characters
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 16:53:12 +0100] rev 5541
mod_firewall: marks: Fix marking a user with no previous marks
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 16:20:42 +0100] rev 5540
mod_firewall: Update user marks to store instantly via map store
The original approach was to keep marks in memory only, and persist them at
shutdown. That saves I/O, at the cost of potentially losing marks on an
unclean shutdown.
This change persists marks instantly, which may have some performance overhead
but should be more "correct".
It also splits the marking/unmarking into an event which may be watched or
even fired by other modules.
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 16:17:25 +0100] rev 5539
mod_firewall: Split some long lines [luacheck]
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 13:04:19 +0100] rev 5538
mod_firewall: Fix inverted logic of 'FROM FULL JID?'
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 12:20:34 +0100] rev 5537
mod_firewall: spam-blocking.pfw: Remove requirement for invites to have no body
Some clients (e.g. Gajim) send a body, which I guess makes sense.
The bare JID sender check should already make it hard to bypass this (i.e.
a normal client putting muc#user into a normal chat message shouldn't bypass
the usual message filters).
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 11:30:39 +0100] rev 5536
mod_firewall: scripts: spam-blocklists: Check sender and inviter of MUC invitations against blocklist
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 11:28:56 +0100] rev 5535
mod_firewall: scripts: spam-blocking.pfw: Add special handling for MUC invites
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 11:28:06 +0100] rev 5534
mod_firewall: Add 'FROM FULL JID?' condition
Matthew Wild <mwild1@gmail.com> [Thu, 08 Jun 2023 11:25:40 +0100] rev 5533
mod_firewall: README: Add some emphasis on the exact behaviour of TO FULL JID
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 15:59:34 +0200] rev 5532
mod_rest: Merge some common properties between openapi and schema
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 15:52:02 +0200] rev 5531
mod_rest: Apply normalization to openapi spec
Using https://github.com/mikefarah/yq v4.34.1 --prettyPrint
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:54:52 +0200] rev 5530
mod_http_oauth2: Simplify template using if-falsy operator
Relies on Prosody rev af1e3b7d9ea3 which added the {var~if-falsy},
released in 0.12. Since this module requires trunk this is fine.
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:31:52 +0200] rev 5529
mod_http_dir_listing2: Fix wrong name for resource directory
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:27:13 +0200] rev 5528
mod_http_dir_listing2: Include html resources with plugin installer
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:26:27 +0200] rev 5527
mod_http_dir_listing: Strip path to using plugin installer
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 12:23:31 +0200] rev 5526
mod_firewall: Include scripts with plugin installer (thanks gooya)
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 01:51:23 +0200] rev 5525
mod_http_oauth2: Add some words about supported flows and defaults
Kim Alvefur <zash@zash.se> [Wed, 07 Jun 2023 01:43:35 +0200] rev 5524
mod_http_oauth2/README: Expand summary to include OAuth 2.0 role
This module implements the Authorization Server parts of OAuth 2.0, so
having the summary say that seems sensible.
Kim Alvefur <zash@zash.se> [Mon, 05 Jun 2023 22:32:44 +0200] rev 5523
mod_http_oauth2: Return Authentication Time per OpenID Core Section 2
Mandatory To Implement, either MUST include or OPTIONAL depending on
things we don't look at, so might as well include it all the time.
Since we do not persist authentication state with cookies or such, the
authentication time will always be some point between the user being
sent to the authorization endpoint and the time they are sent back to
the client application.
Kim Alvefur <zash@zash.se> [Mon, 05 Jun 2023 22:19:17 +0200] rev 5522
mod_http_oauth2: Validate the OpenID 'prompt' parameter
Without support for affecting the login and consent procedure, it seems
sensible to inform the client that they can't change anything with this
parameter.
Kim Alvefur <zash@zash.se> [Sat, 03 Jun 2023 20:04:40 +0200] rev 5521
mod_http_oauth2: Apply text color to OOB input field
Was using the browser default color
Kim Alvefur <zash@zash.se> [Sat, 03 Jun 2023 19:21:39 +0200] rev 5520
mod_client_management: Include client software version number in listing
Should you ever wish to revoke a client by version number, e.g. for
security reasons affecting certain versions, then it would be good to at
the very least see which version is used.
Also includes the OAuth2 software ID, an optional unique identifier that
should be the same for all installations of a particular software.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 11:28:04 +0200] rev 5519
mod_http_oauth2: Present OOB code in an input field for easier selection
Should also avoid stray whitespace making it into the selection.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 11:20:08 +0200] rev 5518
mod_http_oauth2: Revert strict form check to allow consent of multiple scopes
Untested commit breaks everything, news at 11
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 11:03:57 +0200] rev 5517
mod_http_oauth2: Reject duplicate form-urlencoded parameters
Per RFC 6749 section 3.1
> Request and response parameters MUST NOT be included more than once.
Thanks to OAuch for pointing out
Also cleans up some of the icky behavior of formdecode(), like returning
a string if no '=' is included.
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 10:40:48 +0200] rev 5516
mod_http_oauth2: Bind refresh tokens to client
Prevent one OAuth client from using the refresh tokens issued to another
client as required by RFC 6819 section 5.2.2.2
See also draft-ietf-oauth-security-topics-22 section 2.2.2
Thanks to OAuch for pointing out this issue
Kim Alvefur <zash@zash.se> [Fri, 02 Jun 2023 10:14:16 +0200] rev 5515
mod_http_oauth2: Record hash of client_id to allow future verification
RFC 6819 section 5.2.2.2 states that refresh tokens MUST be bound to the
client. In order to do that, we must record something that can
definitely tie the client to the grant. Since the full client_id is so
large (why we have this client_subset function), a hash is stored
instead.