File

mod_invites_register_api: Use set_password() for password resets Previously the code relied on the (weird) behaviour of create_user(), which would update the password for a user account if it already existed. This has several issues, and we plan to deprecate this behaviour of create_user(). The larger issue is that this route does not trigger the user-password-changed event, which can be a security problem. For example, it did not disconnect existing user sessions (this occurs in mod_c2s in response to the event). Switching to set_password() is the right thing to do.

# mod_tos

A very drafty module to implement some kind of Terms of Service acceptance
tool.

Currently, this only works with clients implementing this very drafty
protocol. The result of the experiments will be an update to the
[ToS ProtoXEP](https://xmpp.org/extensions/inbox/tos.html), with the goal
of acceptance.