Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | | util.sasl.scram: Fix off-by-one indentation | Kim Alvefur | 2023-03-16 | 1 | -2/+2 | |
| | | ||||||
* | | util.sasl.oauthbearer: Adjust parsing of GS2 to allow lack of authzid | Kim Alvefur | 2023-03-16 | 2 | -4/+5 | |
| | | | | | | | | Partly copied from util.sasl.scram and then reduced a bit. | |||||
* | | doap: Sort by XEP number | Kim Alvefur | 2023-03-16 | 1 | -6/+6 | |
| | | | | | | | | | | | | To keep them sorted. Not pedantic at all! | |||||
* | | util.sasl.oauthbearer: Return username from callback instead using authzid (BC) | Kim Alvefur | 2023-03-16 | 2 | -38/+10 | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | RFC 6120 states that > If the initiating entity does not wish to act on behalf of another > entity, it MUST NOT provide an authorization identity. Thus it seems weird to require it here. We can instead expect an username from the token data passed back from the profile. This follows the practice of util.sasl.external where the profile callback returns the selected username, making the authentication module responsible for extracting the username from the token. | |||||
* | | util.sasl.oauthbearer: Fix syntax error in b796e08e6376 | Matthew Wild | 2023-03-15 | 1 | -1/+1 | |
| | | ||||||
* | | util.sasl.oauthbearer: Attach token_info to sasl handler | Matthew Wild | 2023-03-15 | 1 | -0/+2 | |
| | | | | | | | | | | | | This allows token-aware things to access extra information about the authentication, such as when the token is due to expire and the attached custom 'data'. | |||||
* | | util.ip: Add Teal interface description | Kim Alvefur | 2023-03-14 | 1 | -0/+20 | |
| | | ||||||
* | | util.ip: Tests for truncate() | Matthew Wild | 2023-03-14 | 1 | -0/+22 | |
| | | ||||||
* | | mod_auth_internal_hashed: Record time of account disable / re-enable | Kim Alvefur | 2023-03-12 | 1 | -0/+2 | |
| | | | | | | | | Could be useful for e.g. #1772 | |||||
* | | util.ip: Add ip.truncate() to return a new IP with only the prefix of another | Matthew Wild | 2023-03-14 | 1 | -0/+12 | |
| | | ||||||
* | | util.ip: Add is_ip() helper method to detect if an object is an ip object | Matthew Wild | 2023-03-14 | 1 | -0/+5 | |
| | | ||||||
* | | doap: Add RFC 7628 introduced in ab1164eda011 | Kim Alvefur | 2023-03-12 | 1 | -0/+1 | |
| | | ||||||
* | | util.jwt: Import definition of key from util.crypto | Kim Alvefur | 2023-03-10 | 1 | -4/+2 | |
| | | | | | | | | Turns out we had a definition of that already | |||||
* | | util.jwt: Fixup argument and type order | Kim Alvefur | 2023-03-10 | 1 | -1/+1 | |
| | | ||||||
* | | mod_admin_shell: Limit module dependency listings to loaded on current host | Kim Alvefur | 2023-03-10 | 1 | -2/+9 | |
| | | | | | | | | | | | | E.g. module:info("http") with many http modules loaded would show a lot of duplication, as each module would be listed for each host, even if not actually enabled on that host. | |||||
* | | util.jwt: Document interface as Teal definition file | Kim Alvefur | 2023-03-10 | 1 | -0/+40 | |
| | | ||||||
* | | mod_authz_internal: Fix wrong role name field in user_can_assume_role() | Kim Alvefur | 2023-03-09 | 1 | -1/+1 | |
| | | | | | | | | | | Made it reject the primary role since it compares against a non-existent field, i.e. nil. | |||||
* | | Merge 0.12->trunk | Kim Alvefur | 2023-03-05 | 1 | -3/+7 | |
|\| | ||||||
| * | mod_http: Unhook CORS handlers only if active (fixes #1801) | Kim Alvefur | 2023-03-05 | 1 | -3/+7 | |
| | | ||||||
* | | mod_admin_shell: Show reverse dependencies in module:info() | Kim Alvefur | 2023-03-05 | 1 | -0/+6 | |
| | | | | | | | | Why was this module loaded? Now you can find out! | |||||
* | | core.moduleapi: Record reverse dependencies | Kim Alvefur | 2023-03-05 | 1 | -0/+4 | |
| | | | | | | | | | | Useful to know why a module was auto-loaded without having to dig trough all other modules for the one that depends on it. | |||||
* | | authz: Add method for retrieving all roles | Kim Alvefur | 2023-03-04 | 2 | -0/+11 | |
| | | | | | | | | | | | | | | | | Some of the OAuth stuff highlights a small need to retrieve a list of roles somehow. Handy if you ever need a role selector in adhoc or something. Unless there's some O(n) thing we were avoiding? | |||||
* | | mod_tokenauth: Fix misplaced closing parenthesis | Kim Alvefur | 2023-03-02 | 1 | -1/+1 | |
| | | | | | | | | `type(x ~= y)` is always a string, thus truthy | |||||
* | | util.sasl.oauthbearer: Fix traceback on authz in unexpected format | Kim Alvefur | 2023-03-02 | 1 | -0/+4 | |
| | | | | | | | | | | | | E.g. if you were to just pass "username" without @hostname, the split will return nil, "username" and the nil gets passed to saslprep() and it does not like that. | |||||
* | | mod_tokenauth: Gracefully handle missing tokens | Matthew Wild | 2023-03-01 | 1 | -0/+1 | |
| | | ||||||
* | | mod_auth_internal_hashed: Add oauthbearer handler to our SASL profile | Matthew Wild | 2023-03-01 | 1 | -1/+4 | |
| | | ||||||
* | | mod_tokenauth: Add SASL handler backend that can accept and verify tokens | Matthew Wild | 2023-03-01 | 1 | -0/+18 | |
| | | | | | | | | | | This is designed for use by other modules that want to accept tokens issued by mod_tokenauth, without duplicating all the necessary logic. | |||||
* | | mod_tokenauth: Add some sanity checking of the new optional parameters | Matthew Wild | 2023-03-01 | 1 | -0/+4 | |
| | | ||||||
* | | mod_tokenauth: Add 'purpose' constraint | Matthew Wild | 2023-03-01 | 1 | -1/+2 | |
| | | | | | | | | | | | | | | | | | | | | This allows tokens to be tied to specific purposes/protocols. For example, we shouldn't (without specific consideration) allow an OAuth token to be dropped into a slot expecting a FAST token. While FAST doesn't currently use mod_tokenauth, it and others may do in the future. It's better to be explicit about what kind of token code is issuing or expecting. | |||||
* | | mod_saslauth: Support for SASL handlers forcing a specific resource | Matthew Wild | 2023-03-01 | 1 | -2/+4 | |
| | | | | | | | | The token layer supports tokens that are tied to a given resource. | |||||
* | | util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628) | Matthew Wild | 2023-03-01 | 2 | -4/+88 | |
| | | ||||||
* | | mod_admin_adhoc: Add XEP-0133 commands to Disable and Re-Enable users | Kim Alvefur | 2023-02-23 | 1 | -0/+66 | |
| | | | | | | | | Enables UI in clients supporting XEP-0050 | |||||
* | | CHANGES: Mention new ability to disable and enable user accounts | Kim Alvefur | 2023-02-23 | 1 | -0/+1 | |
| | | ||||||
* | | mod_admin_shell: Add commands to disable and enable accounts | Kim Alvefur | 2023-02-23 | 1 | -0/+32 | |
| | | | | | | | | First proper UI to enable/disable, allowing it to be tested. | |||||
* | | mod_c2s: Disconnect accounts when they are disabled | Kim Alvefur | 2023-02-23 | 1 | -0/+1 | |
| | | | | | | | | | | | | | | | | We decided that at the first stage, accounts that are disabled should simply be prevented from authenticating, thus they should also be prevented from having connected sessions. Since this is aimed to be a moderation action for cases of abuse, they shouldn't be allowed to continue being connected. | |||||
* | | core.usermanager: Fire events when enabling and disabling users | Kim Alvefur | 2023-02-23 | 1 | -2/+10 | |
| | | | | | | | | Allow modules to act on this state change, e.g. kick accounts etc. | |||||
* | | core.usermanager: Add methods for enabling and disabling users | Kim Alvefur | 2023-02-23 | 2 | -0/+35 | |
| | | | | | | | | Calling into the auth module, where available. | |||||
* | | core.usermanager: Add Teal description file | Kim Alvefur | 2023-02-23 | 1 | -0/+43 | |
| | | ||||||
* | | mod_auth_internal_hashed: Implement methods to enable and disable users | Kim Alvefur | 2023-02-23 | 1 | -4/+9 | |
| | | ||||||
* | | mod_auth_internal_hashed: Implement is_enabled() method | Kim Alvefur | 2023-02-23 | 1 | -3/+5 | |
| | | | | | | | | Uses 'disabled' property already introduced in aed38948791f | |||||
* | | mod_auth_internal_hashed: Add stub methods for enabling and disabling users | Kim Alvefur | 2023-02-22 | 1 | -0/+8 | |
| | | | | | | | | But how and where? | |||||
* | | mod_auth_internal_hashed: Refactor to prepare for disabling users | Kim Alvefur | 2023-02-22 | 1 | -2/+7 | |
| | | | | | | | | | | | | Moving this out will make space for a dynamic check whether a particular user is disabled or not, which is one possible response to abuse of account privileges. | |||||
* | | Merge 0.12->trunk | Kim Alvefur | 2023-02-22 | 1 | -2/+2 | |
|\| | ||||||
| * | util.prosodyctl.check: Suggest 'http_cors_override' instead of older CORS ↵ | Kim Alvefur | 2023-02-22 | 1 | -2/+2 | |
| | | | | | | | | | | | | | | | | settings The cross_domain_* settings were added here prior to http_cors_override being added back in 17d87fb2312a, so for a time there was no replacement, but now there is. | |||||
* | | Merge 0.12->trunk | Matthew Wild | 2023-02-21 | 0 | -0/+0 | |
|\| | ||||||
| * | Added tag 0.12.3 for changeset 0598d822614f | Matthew Wild | 2023-02-21 | 0 | -0/+0 | |
| | | ||||||
* | | Merge 0.12->trunk | Matthew Wild | 2023-02-20 | 1 | -0/+3 | |
|\| | ||||||
| * | mod_websocket: Fire pre-session-close event (fixes #1800)0.12.3 | Matthew Wild | 2023-02-20 | 1 | -0/+3 | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This event was added in a7c183bb4e64 and is required to make mod_smacks know that a session was intentionally closed and shouldn't be hibernated (see fcea4d9e7502). Because this was missing from mod_websocket's session.close(), mod_smacks would always attempt to hibernate websocket sessions even if they closed cleanly. That mod_websocket has its own copy of session.close() is something to fix another day (probably not in the stable branch). So for now this commit makes the minimal change to get things working again. Thanks to Damian and the Jitsi team for reporting. | |||||
* | | MUC: Add Occupant API methods to Teal spec | Kim Alvefur | 2023-02-20 | 1 | -0/+6 | |
| | | ||||||
* | | MUC: Add Teal description of muc.lib functions | Kim Alvefur | 2023-02-20 | 1 | -0/+9 | |
| | |