| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| |
| |
| | |
Overrides the util.jwt default of 1h with the intended TTL of 10
minutes. Because util.jwt now has its own expiry checks, so the 'expiry'
field is no longer used and can thus be removed.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This makes it so that --admin and --role are no longer mutually
exclusive, they the former is simply treated as another --role.
This was likely a leftover from when only a single role was possible.
It does however become unclear which should be the primary, since the
order is not preserved by argparse.
Bonus: Loading of modules is avoided with only the --help is shown.
|
| |
| |
| |
| | |
Forgot to change the column name in 9a7523ea45cb
|
| | |
|
| |
| |
| |
| | |
Avoids an error if the upgrade is performed twice..
|
| |
| |
| |
| |
| | |
Prevents false positives in the odd case where something other than an
index with this name might exist.
|
| |
| |
| |
| | |
The "pg_indexes" view is much simpler to inspect than "pg_class"
|
| |
| |
| |
| | |
Tested. Works.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
No point in doing this expensive O(n) query if the result is not used
for anything.
Will still cache the total item count if an explicit query for this is
performed, then try to keep it updated with new items added. Will likely
forget eventually tho.
|
| |
| |
| |
| |
| | |
Notably the default journal_mode of DELETE is somewhat slow, some users
might want to catch up to the amazing performance of internal storage.
|
| |
| |
| |
| |
| | |
Knowing what features are available could be useful for future
experiments. For example, with the JSON module or full text search.
|
| |
| |
| |
| |
| |
| |
| | |
Removes the need for the shim in storagemanager.
The methods only really access the 'store' property of the first (self)
argument, so this is safe.
|
| |
| |
| |
| |
| |
| |
| | |
Currently limited to SQLite3 for lack of testing on other databases.
Adds a migration to replace the non-UNIQUE prosody_index, renaming it
prosody_unique_index since ALTER INDEX does not seem to be portable.
|
|\| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Because it changes the type of the 'opt_origins' variable from util.set
to the internal _items table so next time an http app is added an error
"attempt to call a nil value (method 'empty')" is triggered. The value
is not used anywhere else.
Noticed when reviewing uses of the '_items' set property.
Not reported by any users, implying this setting is rarely used.
|
| |
| |
| |
| |
| | |
Avoids the _items semi-private value, that is used everywhere for some
reason.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Iterating over an entire archive to find a few items in the far end from
where iteration started is expensive, and probably more expensive with
the lazy-loading of items added in the previous commit.
Since we can now efficiently read items in random order, we can now use
a binary search to find a better starting point for iteration.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Very large list files previously ran into limits of the Lua parser, or
just caused Prosody to freeze while parsing.
Using the new index we can parse individual items one at a time. This
probably won't reduce overall CPU usage, probably the opposite, but it
will reduce the number of items in memory at once and allow collection
of items after we iterated past them.
|
| |
| |
| |
| | |
Two pairs replaced by one. Blame lua-format for the line diff delta.
|
| |
| |
| |
| | |
Reminder to update the configuration if the change is to be permanent.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Supporting both methods at the same time may open to spoofing attacks,
whereby a client sends a Forwarded header that is not stripped by a
reverse proxy, leading Prosody to use that instead of the X-Forwarded-*
headers actually sent by the proxy.
By only supporting one at a time, it can be configured to match what the
proxy uses.
Disabled by default since implementations are sparse and X-Forwarded-*
are everywhere.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prefer over X-Forwarded-* since it has an actual specification.
Main practical difference is that Forwarded may carry more properties
than only the IP address since it is a structured header.
Since we parse it into an array, it is easier to do the logical thing
and iterate backwards trough proxies until an untrusted one is
encountered. Compare the handling of X-Forwarded-For.
The 'secure' field now accounts for the full chain of proxies, which
must be secure all the way to be considered secure.
|
| |
| |
| |
| |
| |
| | |
There are hints that this format might be used in X-Forwarded-For as
well, so best handle it everywhere. Strips both brackets and optional
port number.
|
| | |
|
|\| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Could be used to implement custom connection methods (c.f. mod_onions)
without needing to duplicate the rest of route_to_new_session().
Adds a feature to enable detection since it can be difficult to detect
support for an event otherwise.
|
| |
| |
| |
| | |
To help with configuring reverse proxies.
|
| |
| |
| |
| |
| |
| |
| |
| | |
This could be of help when configuring reverse proxies, as it is the
internal URL the proxy must point at.
Argument treated as an enum "internal" "external"(default) to allow for
future extensibility.
|
| |
| |
| |
| |
| | |
Mirroring debug:events("http"), and to replace the "Firing event: GET /"
log lines in net.http.server
|
| |
| |
| |
| | |
Missing feature. It should behave like debug:events()
|
| |
| |
| |
| |
| |
| | |
If a grant does not have a role, we should not go and make one up.
While not very useful for XMPP if you can't even login, it may be useful
for OAuth2/OIDC.
|
| |
| |
| |
| |
| | |
Such a session triggers errors in module:may or other places since it is
generally expected that a session must have a role.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since throwing a pile of 'access denied', even at debug level, seems
akin to calling wolf :)
Cutting down on debug noise is also good.
Passing a flag instead of using module:could seemed easier here.
|
| |
| |
| |
| | |
Caused by roles changing from table|nil to always table in c2616274bef7
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Closing the session invokes ondisconnect and session close logic,
including mod_smacks hibernation and the timer that destroys the session
after a timeout.
By closing the connection after it has been detached from the sessions
table it will no longer invoke the ondetach handler, which should
prevent the above problem.
|
| |
| |
| |
| |
| |
| |
| | |
The (still not published) XEP-xxxx: Stream Limits Advertisement uses the
element <max-bytes/> to advertise the maximum octet size of top level
stream elements. "size" was probably a leftover of an even earlier
version of the (Proto)XEP.
|
|\| |
|
| |
| |
| |
| | |
This timer shouldn't kick in in the middle of active mode.
|
| |
| |
| |
| |
| |
| | |
It should not be there afterwards. Noticed that it seems to fire some
time after resumption claiming that the queue size is nil, implying
that it may hold a reference to an expired session somehow.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Removes some dead code and hopefully simplifies a bit.
There's a tree of possibilities with the two tri-state status
properties, something like
chain:
* nil -- cert validation disabled?
* invalid -- something wrong with the chain (including ee cert)
* valid -- chain ok
cert:
* nil -- incomplete validation??
* invalid -- mismatched names or such
* valid -- all good!
|
|\| |
|
| |
| |
| |
| |
| | |
Looks like autocomplete unhelpfully capitalized this word, but it's
lowercase where it is set in mod_s2s_auth_certs
|
| |
| |
| |
| |
| |
| | |
It is the other end who should request client certificates for these
connections, we only need to send ours. Hopefully this was treated as a
noop, so probably no harm in keeping it. But hey, spring cleaning? :)
|
| |
| |
| |
| |
| |
| | |
Was previously supposed to be conditionally advertised based on
availability of a module handling the actual optimizations, which was
removed in be9ac41f1619
|
| |
| |
| |
| |
| |
| | |
Fixes parsing of tokens that happen to have a `;` in their secret part,
otherwise it splits there and the later bit goes into the username and
hitting the "Invalid token in storage" condition.
|
| |
| |
| |
| |
| |
| |
| |
| | |
Some tokens, e.g. OAuth2 refresh tokens, might not have their lifetime
explicitly bounded here, but rather be bounded by the lifetime of
something else, like the OAuth2 client.
Open question: Would it be better to enforce a lifetime on all tokens?
|
| |
| |
| |
| | |
Consistency is nice.
|
| |
| |
| |
| | |
Applying this for s2s:close[all]() would also be nice.
|