| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new format has the following properties:
- 5 bytes longer than the previous format
- The token now has separate 'id' and 'secret' parts - the token itself is no
longer stored in the DB, and the secret part is hashed
- The only variable length field (JID) has been moved to the end
- The 'secret-token:' prefix (RFC 8959) is now included
Compatibility with the old token format was not maintained, and all previously
issued tokens are invalid after this commit (they will be removed from the DB
if used).
|
| |
|
|
|
|
|
|
|
|
|
| |
Following the new behavior in auth_internal_hashed (c8f59ce7d3cf), the account
will be created and disabled, instead of returning an error telling password
being nil when calling saslprep().
Note that mod_auth_internal_plain does not have full support for
enabled/disabled accounts, but that may be fixed in subsequent commits.
|
|
|
|
|
| |
Why did it call a function defined in the same module through
usermanager?
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 6120 states that
> If the initiating entity does not wish to act on behalf of another
> entity, it MUST NOT provide an authorization identity.
Thus it seems weird to require it here. We can instead expect an
username from the token data passed back from the profile.
This follows the practice of util.sasl.external where the profile
callback returns the selected username, making the authentication module
responsible for extracting the username from the token.
|
|
|
|
| |
Could be useful for e.g. #1772
|
|
|
|
|
|
| |
E.g. module:info("http") with many http modules loaded would show a lot
of duplication, as each module would be listed for each host, even if
not actually enabled on that host.
|
|
|
|
|
| |
Made it reject the primary role since it compares against a non-existent
field, i.e. nil.
|
|\ |
|
| | |
|
| |
| |
| |
| | |
Why was this module loaded? Now you can find out!
|
| |
| |
| |
| |
| |
| |
| |
| | |
Some of the OAuth stuff highlights a small need to retrieve a list of
roles somehow. Handy if you ever need a role selector in adhoc or
something.
Unless there's some O(n) thing we were avoiding?
|
| |
| |
| |
| | |
`type(x ~= y)` is always a string, thus truthy
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
This is designed for use by other modules that want to accept tokens issued
by mod_tokenauth, without duplicating all the necessary logic.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows tokens to be tied to specific purposes/protocols. For example, we
shouldn't (without specific consideration) allow an OAuth token to be dropped
into a slot expecting a FAST token.
While FAST doesn't currently use mod_tokenauth, it and others may do in the
future. It's better to be explicit about what kind of token code is issuing or
expecting.
|
| |
| |
| |
| | |
The token layer supports tokens that are tied to a given resource.
|
| |
| |
| |
| | |
Enables UI in clients supporting XEP-0050
|
| |
| |
| |
| | |
First proper UI to enable/disable, allowing it to be tested.
|
| |
| |
| |
| |
| |
| |
| |
| | |
We decided that at the first stage, accounts that are disabled should
simply be prevented from authenticating, thus they should also be
prevented from having connected sessions. Since this is aimed to be a
moderation action for cases of abuse, they shouldn't be allowed to
continue being connected.
|
| | |
|
| |
| |
| |
| | |
Uses 'disabled' property already introduced in aed38948791f
|
| |
| |
| |
| | |
But how and where?
|
| |
| |
| |
| |
| |
| | |
Moving this out will make space for a dynamic check whether a particular
user is disabled or not, which is one possible response to abuse of
account privileges.
|
|\| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This event was added in a7c183bb4e64 and is required to make mod_smacks know
that a session was intentionally closed and shouldn't be hibernated (see
fcea4d9e7502).
Because this was missing from mod_websocket's session.close(), mod_smacks
would always attempt to hibernate websocket sessions even if they closed
cleanly.
That mod_websocket has its own copy of session.close() is something to fix
another day (probably not in the stable branch). So for now this commit makes
the minimal change to get things working again.
Thanks to Damian and the Jitsi team for reporting.
|
|\| |
|
| |
| |
| |
| |
| |
| | |
When mod_admin_socket is loaded without mod_admin_shell, attempt to use
`prosodyctl shell` will appear to freeze after any input, since no
response is returned.
|
| |
| |
| |
| |
| | |
Expected this to be translated to 'core', but it logs an error instead.
See previous commit.
|
| | |
|
| |
| |
| |
| |
| |
| | |
Allows retrieving this in e.g. a health reporting module
Thanks pfak
|
| |
| |
| |
| | |
Maybe one day we'll get consistent filtering semantics everywhere.
|
| |
| |
| |
| | |
Suggested by MattJ, our resident UI expert :)
|
| |
| |
| |
| |
| | |
The length of the title "Affiliation" made them both close enough that
it looked off.
|
| |
| |
| |
| | |
Tables are awesome!
|
| |
| |
| |
| | |
Justification: See diffstat
|
| |
| |
| |
| |
| | |
Easier than going trough muc:room():each_affiliation() since you have to
do fiddly things to reach the print() function.
|
| |
| |
| |
| |
| | |
Easier than going trough muc:room():each_occupant() since you have to do
fiddly things to reach the print() function.
|
| |
| |
| |
| | |
See also 781772c8b6d9
|
|\| |
|
| |
| |
| |
| |
| | |
Not sure why this was missing from MUC MAM, it already had some of the
code for dealing with it.
|
| |
| |
| |
| | |
Oversight in cabb022f31c0
|
| |
| |
| |
| |
| | |
Should have no functional difference, but makes it easier keeping
mod_mam and mod_muc_mam in sync.
|
| | |
|
| |
| |
| |
| | |
Introduced in 6966026262f4
|
|\| |
|
| |
| |
| |
| |
| | |
Will hopefully save future confusion about sessions being destroyed when
they are in fact not.
|
| | |
|