mod_tokenauth: Invalidate tokens issued before most recent password change This is a security improvement, to ensure that sessions authenticated using a token (note: not currently possible in stock Prosody) are invalidated just like password-authenticated sessions are.

prosodyctl: check turn: More clearly indicate the error is from TURN server

mod_authz_internal: Fix warning due to global use Thanks Menel and Martin

Backed out changeset 1bc2220cd6ec The use of the error helpers creates an `<error/>` child element containing the error condition. This is however not allowed as per XEP-0198, which specifies that the error condition is to be a direct child of the `<failed/>` stream management element. This has triggered a fun reconnect loop in aioxmpp where it was reported by a user [1]. [1]: https://github.com/horazont/aioxmpp/issues/382

util.jwt: More robust ECDSA signature parsing, fail early on unexpected length

util.crypto: Fix tests Found this number in a hat. Sleepy time. Good night.

util.jwt: Add support for ES512 (+ tests)

util.crypto, util.jwt: Generate consistent signature sizes (via padding) This fixes the signature parsing and building to work correctly. Sometimes a signature was one or two bytes too short, and needed to be padded. OpenSSL can do this for us.

CHANGES: Update with MUC permission changes

mod_authz_internal: Allow specifying default role for public (remote) users