aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* util.sasl.oauthbearer: Fix traceback on authz in unexpected formatKim Alvefur2023-03-021-0/+4
| | | | | | E.g. if you were to just pass "username" without @hostname, the split will return nil, "username" and the nil gets passed to saslprep() and it does not like that.
* mod_tokenauth: Gracefully handle missing tokensMatthew Wild2023-03-011-0/+1
|
* mod_auth_internal_hashed: Add oauthbearer handler to our SASL profileMatthew Wild2023-03-011-1/+4
|
* mod_tokenauth: Add SASL handler backend that can accept and verify tokensMatthew Wild2023-03-011-0/+18
| | | | | This is designed for use by other modules that want to accept tokens issued by mod_tokenauth, without duplicating all the necessary logic.
* mod_tokenauth: Add some sanity checking of the new optional parametersMatthew Wild2023-03-011-0/+4
|
* mod_tokenauth: Add 'purpose' constraintMatthew Wild2023-03-011-1/+2
| | | | | | | | | | This allows tokens to be tied to specific purposes/protocols. For example, we shouldn't (without specific consideration) allow an OAuth token to be dropped into a slot expecting a FAST token. While FAST doesn't currently use mod_tokenauth, it and others may do in the future. It's better to be explicit about what kind of token code is issuing or expecting.
* mod_saslauth: Support for SASL handlers forcing a specific resourceMatthew Wild2023-03-011-2/+4
| | | | The token layer supports tokens that are tied to a given resource.
* util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)Matthew Wild2023-03-012-4/+88
|
* mod_admin_adhoc: Add XEP-0133 commands to Disable and Re-Enable usersKim Alvefur2023-02-231-0/+66
| | | | Enables UI in clients supporting XEP-0050
* CHANGES: Mention new ability to disable and enable user accountsKim Alvefur2023-02-231-0/+1
|
* mod_admin_shell: Add commands to disable and enable accountsKim Alvefur2023-02-231-0/+32
| | | | First proper UI to enable/disable, allowing it to be tested.
* mod_c2s: Disconnect accounts when they are disabledKim Alvefur2023-02-231-0/+1
| | | | | | | | We decided that at the first stage, accounts that are disabled should simply be prevented from authenticating, thus they should also be prevented from having connected sessions. Since this is aimed to be a moderation action for cases of abuse, they shouldn't be allowed to continue being connected.
* core.usermanager: Fire events when enabling and disabling usersKim Alvefur2023-02-231-2/+10
| | | | Allow modules to act on this state change, e.g. kick accounts etc.
* core.usermanager: Add methods for enabling and disabling usersKim Alvefur2023-02-232-0/+35
| | | | Calling into the auth module, where available.
* core.usermanager: Add Teal description fileKim Alvefur2023-02-231-0/+43
|
* mod_auth_internal_hashed: Implement methods to enable and disable usersKim Alvefur2023-02-231-4/+9
|
* mod_auth_internal_hashed: Implement is_enabled() methodKim Alvefur2023-02-231-3/+5
| | | | Uses 'disabled' property already introduced in aed38948791f
* mod_auth_internal_hashed: Add stub methods for enabling and disabling usersKim Alvefur2023-02-221-0/+8
| | | | But how and where?
* mod_auth_internal_hashed: Refactor to prepare for disabling usersKim Alvefur2023-02-221-2/+7
| | | | | | Moving this out will make space for a dynamic check whether a particular user is disabled or not, which is one possible response to abuse of account privileges.
* Merge 0.12->trunkKim Alvefur2023-02-221-2/+2
|\
| * util.prosodyctl.check: Suggest 'http_cors_override' instead of older CORS ↵Kim Alvefur2023-02-221-2/+2
| | | | | | | | | | | | | | | | settings The cross_domain_* settings were added here prior to http_cors_override being added back in 17d87fb2312a, so for a time there was no replacement, but now there is.
* | Merge 0.12->trunkMatthew Wild2023-02-210-0/+0
|\|
| * Added tag 0.12.3 for changeset 0598d822614fMatthew Wild2023-02-210-0/+0
| |
* | Merge 0.12->trunkMatthew Wild2023-02-201-0/+3
|\|
| * mod_websocket: Fire pre-session-close event (fixes #1800)0.12.3Matthew Wild2023-02-201-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This event was added in a7c183bb4e64 and is required to make mod_smacks know that a session was intentionally closed and shouldn't be hibernated (see fcea4d9e7502). Because this was missing from mod_websocket's session.close(), mod_smacks would always attempt to hibernate websocket sessions even if they closed cleanly. That mod_websocket has its own copy of session.close() is something to fix another day (probably not in the stable branch). So for now this commit makes the minimal change to get things working again. Thanks to Damian and the Jitsi team for reporting.
* | MUC: Add Occupant API methods to Teal specKim Alvefur2023-02-201-0/+6
| |
* | MUC: Add Teal description of muc.lib functionsKim Alvefur2023-02-201-0/+9
| |
* | MUC: Start on a Teal description of MUC roomsKim Alvefur2023-02-201-0/+163
| | | | | | | | Started as part of a documentation project for the MUC API
* | Merge 0.12->trunkMatthew Wild2023-02-172-5/+53
|\|
| * net.http.parser: Fix off-by-one error in chunk parserMatthew Wild2023-02-172-5/+53
| |
* | Merge 0.12->trunkKim Alvefur2023-02-162-1/+7
|\|
| * mod_admin_socket: Return error on unhandled input to prevent apparent freezeKim Alvefur2023-02-162-1/+7
| | | | | | | | | | | | When mod_admin_socket is loaded without mod_admin_shell, attempt to use `prosodyctl shell` will appear to freeze after any input, since no response is returned.
* | Merge 0.12->trunkMatthew Wild2023-02-161-0/+4
|\|
| * net.http.server: Add new API to get HTTP request from a connectionMatthew Wild2023-02-161-0/+4
| | | | | | | | | | | | | | | | | | | | | | This information is sometimes necessary in the context where we have a connection that we know (or believe to be) associated with an incoming HTTP request. For example, it can be used to retrieve the IP address of a request (which may differ from the IP address of the connection, due to X-Forwarded-For and co). Thanks to the Jitsi team for highlighting this gap in the API.
* | util.poll: Include unistd.h only for epollKim Alvefur2023-02-101-1/+1
| | | | | | | | | | This defines close(), which is only used with epoll, hence we don't need to include it when building in poll or select mode.
* | Merge 0.12->trunkMatthew Wild2023-02-093-10/+15
|\|
| * net.http.parser: Improve handling of responses without content-lengthMatthew Wild2023-02-092-9/+14
| | | | | | | | | | | | This ensures that we support responses without a content-length header, and allow streaming them through the streaming handler interface. An example of such a response would be Server-Sent Events streams.
| * net.http: Add missing log parameterMatthew Wild2023-02-091-1/+1
| |
* | Merge 0.12->trunkMatthew Wild2023-02-091-4/+11
|\|
| * sessionmanager: Improve logging around session destructionMatthew Wild2023-02-091-3/+10
| |
| * core.sessionmanager: Mark session as destroyed to prevent reentryKim Alvefur2023-01-191-0/+1
| | | | | | | | | | If it reaches this point, then the session will be most definitely be destroyed, so try to prevent destroy_session() from being called again.
| * core.sessionmanager: Skip log when (not) destroying destroyed sessionsKim Alvefur2023-01-191-2/+1
| | | | | | | | | | | | | | | | | | On regular disconnects, </stream> is sent, then sessionmanager.destroy_session() is called, then sessionmanager.destroy_session() is called again when the TCP connection is closed, from ondisconnect in mod_c2s. It is a bit annoying and doesn't really tell you much.
* | util.crypto: Preemptively silence 'strict-prototypes' warningKim Alvefur2023-01-311-1/+1
| | | | | | | | | | | | | | | | With `gcc-12 -Wstrict-prototypes` the following warning is shown: crypto.c:43:13: warning: function declaration isn't a prototype [-Wstrict-prototypes] 43 | static BIO* new_memory_BIO() { | ^~~~~~~~~~~~~~
* | mod_storage_sql: Remove module status on unknown 'debug' levelKim Alvefur2023-01-311-1/+0
| | | | | | | | | | Expected this to be translated to 'core', but it logs an error instead. See previous commit.
* | core.moduleapi: Fix passing variable to loggingKim Alvefur2023-01-311-1/+1
| |
* | mod_storage_sql: Silence luacheck warningKim Alvefur2023-01-301-1/+1
| |
* | mod_storage_sql: Record connection to database as module statusKim Alvefur2023-01-303-4/+18
| | | | | | | | | | | | Allows retrieving this in e.g. a health reporting module Thanks pfak
* | mod_admin_shell: Match substring in muc:affiliations() like muc:occupants()Kim Alvefur2023-01-301-1/+1
| | | | | | | | Maybe one day we'll get consistent filtering semantics everywhere.
* | mod_admin_shell: Sort MUC users by relation and JIDKim Alvefur2023-01-291-18/+51
| | | | | | | | Suggested by MattJ, our resident UI expert :)
* | mod_admin_shell: Make Role and Affiliation columns the same width for aestheticsKim Alvefur2023-01-291-2/+2
| | | | | | | | | | The length of the title "Affiliation" made them both close enough that it looked off.