aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* | util.sasl.scram: Fix off-by-one indentationKim Alvefur2023-03-161-2/+2
| |
* | util.sasl.oauthbearer: Adjust parsing of GS2 to allow lack of authzidKim Alvefur2023-03-162-4/+5
| | | | | | | | Partly copied from util.sasl.scram and then reduced a bit.
* | doap: Sort by XEP numberKim Alvefur2023-03-161-6/+6
| | | | | | | | | | | | To keep them sorted. Not pedantic at all!
* | util.sasl.oauthbearer: Return username from callback instead using authzid (BC)Kim Alvefur2023-03-162-38/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | RFC 6120 states that > If the initiating entity does not wish to act on behalf of another > entity, it MUST NOT provide an authorization identity. Thus it seems weird to require it here. We can instead expect an username from the token data passed back from the profile. This follows the practice of util.sasl.external where the profile callback returns the selected username, making the authentication module responsible for extracting the username from the token.
* | util.sasl.oauthbearer: Fix syntax error in b796e08e6376Matthew Wild2023-03-151-1/+1
| |
* | util.sasl.oauthbearer: Attach token_info to sasl handlerMatthew Wild2023-03-151-0/+2
| | | | | | | | | | | | This allows token-aware things to access extra information about the authentication, such as when the token is due to expire and the attached custom 'data'.
* | util.ip: Add Teal interface descriptionKim Alvefur2023-03-141-0/+20
| |
* | util.ip: Tests for truncate()Matthew Wild2023-03-141-0/+22
| |
* | mod_auth_internal_hashed: Record time of account disable / re-enableKim Alvefur2023-03-121-0/+2
| | | | | | | | Could be useful for e.g. #1772
* | util.ip: Add ip.truncate() to return a new IP with only the prefix of anotherMatthew Wild2023-03-141-0/+12
| |
* | util.ip: Add is_ip() helper method to detect if an object is an ip objectMatthew Wild2023-03-141-0/+5
| |
* | doap: Add RFC 7628 introduced in ab1164eda011Kim Alvefur2023-03-121-0/+1
| |
* | util.jwt: Import definition of key from util.cryptoKim Alvefur2023-03-101-4/+2
| | | | | | | | Turns out we had a definition of that already
* | util.jwt: Fixup argument and type orderKim Alvefur2023-03-101-1/+1
| |
* | mod_admin_shell: Limit module dependency listings to loaded on current hostKim Alvefur2023-03-101-2/+9
| | | | | | | | | | | | E.g. module:info("http") with many http modules loaded would show a lot of duplication, as each module would be listed for each host, even if not actually enabled on that host.
* | util.jwt: Document interface as Teal definition fileKim Alvefur2023-03-101-0/+40
| |
* | mod_authz_internal: Fix wrong role name field in user_can_assume_role()Kim Alvefur2023-03-091-1/+1
| | | | | | | | | | Made it reject the primary role since it compares against a non-existent field, i.e. nil.
* | Merge 0.12->trunkKim Alvefur2023-03-051-3/+7
|\|
| * mod_http: Unhook CORS handlers only if active (fixes #1801)Kim Alvefur2023-03-051-3/+7
| |
* | mod_admin_shell: Show reverse dependencies in module:info()Kim Alvefur2023-03-051-0/+6
| | | | | | | | Why was this module loaded? Now you can find out!
* | core.moduleapi: Record reverse dependenciesKim Alvefur2023-03-051-0/+4
| | | | | | | | | | Useful to know why a module was auto-loaded without having to dig trough all other modules for the one that depends on it.
* | authz: Add method for retrieving all rolesKim Alvefur2023-03-042-0/+11
| | | | | | | | | | | | | | | | Some of the OAuth stuff highlights a small need to retrieve a list of roles somehow. Handy if you ever need a role selector in adhoc or something. Unless there's some O(n) thing we were avoiding?
* | mod_tokenauth: Fix misplaced closing parenthesisKim Alvefur2023-03-021-1/+1
| | | | | | | | `type(x ~= y)` is always a string, thus truthy
* | util.sasl.oauthbearer: Fix traceback on authz in unexpected formatKim Alvefur2023-03-021-0/+4
| | | | | | | | | | | | E.g. if you were to just pass "username" without @hostname, the split will return nil, "username" and the nil gets passed to saslprep() and it does not like that.
* | mod_tokenauth: Gracefully handle missing tokensMatthew Wild2023-03-011-0/+1
| |
* | mod_auth_internal_hashed: Add oauthbearer handler to our SASL profileMatthew Wild2023-03-011-1/+4
| |
* | mod_tokenauth: Add SASL handler backend that can accept and verify tokensMatthew Wild2023-03-011-0/+18
| | | | | | | | | | This is designed for use by other modules that want to accept tokens issued by mod_tokenauth, without duplicating all the necessary logic.
* | mod_tokenauth: Add some sanity checking of the new optional parametersMatthew Wild2023-03-011-0/+4
| |
* | mod_tokenauth: Add 'purpose' constraintMatthew Wild2023-03-011-1/+2
| | | | | | | | | | | | | | | | | | | | This allows tokens to be tied to specific purposes/protocols. For example, we shouldn't (without specific consideration) allow an OAuth token to be dropped into a slot expecting a FAST token. While FAST doesn't currently use mod_tokenauth, it and others may do in the future. It's better to be explicit about what kind of token code is issuing or expecting.
* | mod_saslauth: Support for SASL handlers forcing a specific resourceMatthew Wild2023-03-011-2/+4
| | | | | | | | The token layer supports tokens that are tied to a given resource.
* | util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)Matthew Wild2023-03-012-4/+88
| |
* | mod_admin_adhoc: Add XEP-0133 commands to Disable and Re-Enable usersKim Alvefur2023-02-231-0/+66
| | | | | | | | Enables UI in clients supporting XEP-0050
* | CHANGES: Mention new ability to disable and enable user accountsKim Alvefur2023-02-231-0/+1
| |
* | mod_admin_shell: Add commands to disable and enable accountsKim Alvefur2023-02-231-0/+32
| | | | | | | | First proper UI to enable/disable, allowing it to be tested.
* | mod_c2s: Disconnect accounts when they are disabledKim Alvefur2023-02-231-0/+1
| | | | | | | | | | | | | | | | We decided that at the first stage, accounts that are disabled should simply be prevented from authenticating, thus they should also be prevented from having connected sessions. Since this is aimed to be a moderation action for cases of abuse, they shouldn't be allowed to continue being connected.
* | core.usermanager: Fire events when enabling and disabling usersKim Alvefur2023-02-231-2/+10
| | | | | | | | Allow modules to act on this state change, e.g. kick accounts etc.
* | core.usermanager: Add methods for enabling and disabling usersKim Alvefur2023-02-232-0/+35
| | | | | | | | Calling into the auth module, where available.
* | core.usermanager: Add Teal description fileKim Alvefur2023-02-231-0/+43
| |
* | mod_auth_internal_hashed: Implement methods to enable and disable usersKim Alvefur2023-02-231-4/+9
| |
* | mod_auth_internal_hashed: Implement is_enabled() methodKim Alvefur2023-02-231-3/+5
| | | | | | | | Uses 'disabled' property already introduced in aed38948791f
* | mod_auth_internal_hashed: Add stub methods for enabling and disabling usersKim Alvefur2023-02-221-0/+8
| | | | | | | | But how and where?
* | mod_auth_internal_hashed: Refactor to prepare for disabling usersKim Alvefur2023-02-221-2/+7
| | | | | | | | | | | | Moving this out will make space for a dynamic check whether a particular user is disabled or not, which is one possible response to abuse of account privileges.
* | Merge 0.12->trunkKim Alvefur2023-02-221-2/+2
|\|
| * util.prosodyctl.check: Suggest 'http_cors_override' instead of older CORS ↵Kim Alvefur2023-02-221-2/+2
| | | | | | | | | | | | | | | | settings The cross_domain_* settings were added here prior to http_cors_override being added back in 17d87fb2312a, so for a time there was no replacement, but now there is.
* | Merge 0.12->trunkMatthew Wild2023-02-210-0/+0
|\|
| * Added tag 0.12.3 for changeset 0598d822614fMatthew Wild2023-02-210-0/+0
| |
* | Merge 0.12->trunkMatthew Wild2023-02-201-0/+3
|\|
| * mod_websocket: Fire pre-session-close event (fixes #1800)0.12.3Matthew Wild2023-02-201-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This event was added in a7c183bb4e64 and is required to make mod_smacks know that a session was intentionally closed and shouldn't be hibernated (see fcea4d9e7502). Because this was missing from mod_websocket's session.close(), mod_smacks would always attempt to hibernate websocket sessions even if they closed cleanly. That mod_websocket has its own copy of session.close() is something to fix another day (probably not in the stable branch). So for now this commit makes the minimal change to get things working again. Thanks to Damian and the Jitsi team for reporting.
* | MUC: Add Occupant API methods to Teal specKim Alvefur2023-02-201-0/+6
| |
* | MUC: Add Teal description of muc.lib functionsKim Alvefur2023-02-201-0/+9
| |