prosody-modules
e977174082ee
mod_sasl_ssdp/README.md

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

File

mod_sasl_ssdp/README.md @ 6193:e977174082ee

mod_invites_register_api: Use set_password() for password resets Previously the code relied on the (weird) behaviour of create_user(), which would update the password for a user account if it already existed. This has several issues, and we plan to deprecate this behaviour of create_user(). The larger issue is that this route does not trigger the user-password-changed event, which can be a security problem. For example, it did not disconnect existing user sessions (this occurs in mod_c2s in response to the event). Switching to set_password() is the right thing to do
author Matthew Wild <mwild1@gmail.com>
date Thu, 06 Feb 2025 10:24:30 +0000
parent 6163:eff78e2c7d22
line wrap: on
line source

---
labels:
- 'Stage-Alpha'
summary: 'XEP-0474: SASL SCRAM Downgrade Protection'
...

Introduction
============

This module implements the experimental XEP-0474: SASL SCRAM Downgrade
Protection. It provides an alternative downgrade protection mechanism to
client-side pinning which is currently the most common method of downgrade
protection.

# Configuration

There are no configuration options for this module, just load it as normal.

# Compatibility

For SASL2 (XEP-0388) clients, it is compatible with the mod_sasl2 community module.

For clients using RFC 6120 SASL, it requires Prosody trunk 33e5edbd6a4a or
later. It is not compatible with Prosody 0.12 (it will load, but simply
won't do anything) for "legacy SASL".