aboutsummaryrefslogtreecommitdiffstats
path: root/plugins
Commit message (Collapse)AuthorAgeFilesLines
* mod_admin_shell: Use new serialize preset to simplify default configKim Alvefur2023-06-091-2/+5
| | | | Two pairs replaced by one. Blame lua-format for the line diff delta.
* mod_admin_shell: Warn when (un-)loading module would be undone by restartKim Alvefur2023-06-061-0/+12
| | | | Reminder to update the configuration if the change is to be permanent.
* mod_http: Make RFC 7239 Forwarded opt-in for now to be safeKim Alvefur2023-06-031-3/+10
| | | | | | | | | | | | | Supporting both methods at the same time may open to spoofing attacks, whereby a client sends a Forwarded header that is not stripped by a reverse proxy, leading Prosody to use that instead of the X-Forwarded-* headers actually sent by the proxy. By only supporting one at a time, it can be configured to match what the proxy uses. Disabled by default since implementations are sparse and X-Forwarded-* are everywhere.
* mod_http: Use RFC 7239 Forwarded header to find original client IPKim Alvefur2023-06-031-1/+20
| | | | | | | | | | | | | | Prefer over X-Forwarded-* since it has an actual specification. Main practical difference is that Forwarded may carry more properties than only the IP address since it is a structured header. Since we parse it into an array, it is easier to do the logical thing and iterate backwards trough proxies until an untrusted one is encountered. Compare the handling of X-Forwarded-For. The 'secure' field now accounts for the full chain of proxies, which must be secure all the way to be considered secure.
* mod_http: Handle bracketed IP address format from RFC 7239Kim Alvefur2023-06-031-0/+6
| | | | | | There are hints that this format might be used in X-Forwarded-For as well, so best handle it everywhere. Strips both brackets and optional port number.
* mod_admin_shell: Show internal URL where different from externalKim Alvefur2023-05-281-4/+8
|
* Merge 0.12->trunkKim Alvefur2023-05-241-0/+4
|\
| * mod_s2s: Add event where resolver for s2sout can be tweakedKim Alvefur2022-08-181-0/+4
| | | | | | | | | | | | | | | | Could be used to implement custom connection methods (c.f. mod_onions) without needing to duplicate the rest of route_to_new_session(). Adds a feature to enable detection since it can be difficult to detect support for an event otherwise.
* | mod_admin_shell: Show internal URL in addition to external in http:listKim Alvefur2023-05-241-5/+8
| | | | | | | | To help with configuring reverse proxies.
* | mod_http: Add way to retrieve internal URL instead of externalKim Alvefur2023-05-241-2/+2
| | | | | | | | | | | | | | | | This could be of help when configuring reverse proxies, as it is the internal URL the proxy must point at. Argument treated as an enum "internal" "external"(default) to allow for future extensibility.
* | mod_admin_shell: Allow logging HTTP events with debug:logevents("http")Kim Alvefur2023-05-141-0/+3
| | | | | | | | | | Mirroring debug:events("http"), and to replace the "Firing event: GET /" log lines in net.http.server
* | mod_admin_shell: Allow logging global events with debug:logevents("*")Kim Alvefur2023-05-141-1/+5
| | | | | | | | Missing feature. It should behave like debug:events()
* | mod_tokenauth: Support selection of _no_ role at allKim Alvefur2023-05-071-5/+6
| | | | | | | | | | | | If a grant does not have a role, we should not go and make one up. While not very useful for XMPP if you can't even login, it may be useful for OAuth2/OIDC.
* | mod_tokenauth: Return error instead of session for token without roleKim Alvefur2023-05-071-1/+3
| | | | | | | | | | Such a session triggers errors in module:may or other places since it is generally expected that a session must have a role.
* | mod_adhoc: Silence permission errors when listing commandsKim Alvefur2023-05-071-3/+3
| | | | | | | | | | | | | | | | | | Since throwing a pile of 'access denied', even at debug level, seems akin to calling wolf :) Cutting down on debug noise is also good. Passing a flag instead of using module:could seemed easier here.
* | mod_invites: Fix password reset invitesKim Alvefur2023-05-071-1/+1
| | | | | | | | Caused by roles changing from table|nil to always table in c2616274bef7
* | core.sessionmanager: Delay closing a replaced connection after replacementKim Alvefur2023-05-071-0/+1
| | | | | | | | | | | | | | | | | | | | Closing the session invokes ondisconnect and session close logic, including mod_smacks hibernation and the timer that destroys the session after a timeout. By closing the connection after it has been detached from the sessions table it will no longer invoke the ondetach handler, which should prevent the above problem.
* | mod_c2s,mod_s2s: Fix tag name for SLA (thanks mjk)Kim Alvefur2023-05-032-5/+5
| | | | | | | | | | | | | | The (still not published) XEP-xxxx: Stream Limits Advertisement uses the element <max-bytes/> to advertise the maximum octet size of top level stream elements. "size" was probably a leftover of an even earlier version of the (Proto)XEP.
* | Merge 0.12->trunkKim Alvefur2023-05-011-0/+8
|\|
| * mod_csi_simple: Disable revert-to-inactive timer when going to active modeKim Alvefur2023-05-011-0/+4
| | | | | | | | This timer shouldn't kick in in the middle of active mode.
| * mod_csi_simple: Clear delayed active mode timer on disableKim Alvefur2023-05-011-0/+4
| | | | | | | | | | | | It should not be there afterwards. Noticed that it seems to fire some time after resumption claiming that the queue size is nil, implying that it may hold a reference to an expired session somehow.
* | mod_admin_shell: Refactor 'cert' columnKim Alvefur2023-04-301-4/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removes some dead code and hopefully simplifies a bit. There's a tree of possibilities with the two tri-state status properties, something like chain: * nil -- cert validation disabled? * invalid -- something wrong with the chain (including ee cert) * valid -- chain ok cert: * nil -- incomplete validation?? * invalid -- mismatched names or such * valid -- all good!
* | Merge 0.12->trunkKim Alvefur2023-04-191-1/+1
|\|
| * mod_admin_shell: Fix display of remote cert status when expired etcKim Alvefur2023-04-061-1/+1
| | | | | | | | | | Looks like autocomplete unhelpfully capitalized this word, but it's lowercase where it is set in mod_s2s_auth_certs
* | mod_tls: Drop request for client certificates on outgoing connectionsKim Alvefur2023-04-191-1/+1
| | | | | | | | | | | | It is the other end who should request client certificates for these connections, we only need to send ours. Hopefully this was treated as a noop, so probably no harm in keeping it. But hey, spring cleaning? :)
* | mod_csi: Always advertise featureKim Alvefur2023-04-161-2/+1
| | | | | | | | | | | | Was previously supposed to be conditionally advertised based on availability of a module handling the actual optimizations, which was removed in be9ac41f1619
* | mod_tokenauth: Fix parsing binary part of tokensKim Alvefur2023-04-121-1/+1
| | | | | | | | | | | | Fixes parsing of tokens that happen to have a `;` in their secret part, otherwise it splits there and the later bit goes into the username and hitting the "Invalid token in storage" condition.
* | mod_tokenauth: Only check if expiry of expiring tokensKim Alvefur2023-04-121-1/+1
| | | | | | | | | | | | | | | | Some tokens, e.g. OAuth2 refresh tokens, might not have their lifetime explicitly bounded here, but rather be bounded by the lifetime of something else, like the OAuth2 client. Open question: Would it be better to enforce a lifetime on all tokens?
* | mod_admin_shell: Use same wildcard matching in other s2s commandKim Alvefur2023-04-101-6/+5
| | | | | | | | Consistency is nice.
* | mod_admin_shell: Factor apart wildcard matching into function for reuseKim Alvefur2023-04-101-14/+18
| | | | | | | | Applying this for s2s:close[all]() would also be nice.
* | mod_csi: Remove module status, doesn't work because of mod_smacksKim Alvefur2023-04-101-12/+0
| | | | | | | | | | | | | | This was meant to warn in case you had only mod_csi without a logic handling module like mod_csi_simple by checking if anything hooked this event, however mod_smacks also hooks this event and so this isn't really a useful way of detecting this condition.
* | mod_http: Fix reliance on previous tostring() format of util.setKim Alvefur2023-04-101-2/+7
| | | | | | | | | | | | | | | | a863e4237b91 unintentionally changed the format of HTTP CORS headers, which were apparently relying on the output of tostring(), which it shouldn't have. Explicitly serializing it this time.
* | mod_admin_shell: Add config:set([host,] key, value) because why notKim Alvefur2023-04-081-0/+8
| | | | | | | | | | | | | | | | | | We had config:get() but not this. > <MattJ> Yeah, why did we never implement that? Handy if you want to quickly try out settings without reloading the whole config.
* | mod_admin_shell: Allow wildcard matches like s2s:show("*.example.com")Kim Alvefur2023-04-081-1/+13
| | | | | | | | | | E.g. if you want to show connections to/from a domain, including its subdomains, this is handy.
* | mod_http_file_share: use util.human.io.parse_durationJonas Schäfer2022-04-281-1/+7
| | | | | | | | | | | | Updated by Zash, the original patch by Jonas had put the duration parsing function in util.datetime but MattJ later did the same thing but differently in f4d7fe919969
* | mod_mam: port to use util.human.io.parse_durationJonas Schäfer2022-04-281-8/+6
| | | | | | | | | | | | Updated by Zash, the original patch by Jonas had put the duration parsing function in util.datetime but MattJ later did the same thing but differently in f4d7fe919969
* | mod_admin_shell: Allow "*" as substitute for 'nil' for easier CLI usageKim Alvefur2023-04-071-2/+2
| | | | | | | | | | | | | | | | Since prosodyctl shell with additional arguments assumes the first two are a section:command() and any following arguments are strings, passing a bare 'nil' is not possible. In order to avoid delving into this rabbit hole, instead produce a token that alone is not really a legal JID for use as wildcard.
* | mod_admin_shell: Make IP column thinner if IPv6 is disabledKim Alvefur2023-04-071-1/+1
| | | | | | | | | | | | | | IPv6 addresses can be pretty long, so if they can be more compact, that's nice. But nobody would disable IPv6, would they?
* | mod_admin_shell: Make default column width 1 partKim Alvefur2023-04-071-1/+1
| | | | | | | | | | These gets used for usernames, resources and other random session fields that don't have a column definition in `available_columns`
* | mod_admin_shell: Fix attempt to compare number with stringKim Alvefur2023-04-071-1/+1
| | | | | | | | Missed the # in 93c1590b5951
* | mod_admin_shell: Dynamically size JIDs and hostsKim Alvefur2023-04-071-4/+4
| | | | | | | | Reasoning: a hostname is one part, a JID is 3 parts.
* | mod_admin_shell: More dynamic widths calculationsKim Alvefur2023-04-071-3/+14
| |
* | mod_admin_shell: Calculate widths of columns from example valuesKim Alvefur2023-04-061-12/+19
| | | | | | | | | | Harder to accidentally count wrong if Lua is doing the counting on a plausible input.
* | mod_admin_shell: Strip 'prosody:' prefix to allow narrower Role columnKim Alvefur2023-04-021-3/+4
| |
* | mod_debug_reset: Remove now unused import of util.time (thanks luacheck)Matthew Wild2023-04-061-2/+0
| |
* | mod_debug_reset: Don't delay operations until next tickMatthew Wild2023-04-061-6/+4
| | | | | | | | | | | | | | | | For some unknown reason, this was required with the old mock util.time functions prior to 012d6e7b723a. After 012d6e7b723a, it breaks. So I'm happy to revert to not delaying anything. This makes tests pass again.
* | mod_csi: Drop summary stats, doesn't work in normal moduleKim Alvefur2023-04-061-9/+0
| | | | | | | | | | | | This method ends up going up for each collection and the :clear() method is only available to global modules (see e.g. mod_c2s), while regular per-host modules get scoped stats
* | mod_csi: Add metrics, covering changes and totalsKim Alvefur2023-04-061-0/+12
| | | | | | | | | | Motivation: Investigating clients that seem to forget to set CSI. Also, of course, MORE GRAPHS!
* | mod_tokenauth: Add API method to revoke a grant by idMatthew Wild2023-04-051-0/+7
| | | | | | | | We probably want to refactor revoke_token() to use this one in the future.
* | Merge 0.12->trunkKim Alvefur2023-04-041-1/+10
|\|