Implement SASL2, BIND2, and FAST #1006
Conversation
As reccomended by the RFC
singpolyma
force-pushed
the
sasl2
branch
3 times, most recently
from
d655154 to
7c6e9c4
Compare
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Thanks! I will get around to fixing CI and reviewing once I have a bit of time. |
|
Not to be a pain, but any chance to get this looked at? Thanks :) |
|
@sonnyp tests added |
FAIL ./packages/client/dist/xmpp.min.js: 45.01KB > maxSize 16KB (gzip)
There was a problem hiding this comment.
I fixed CI and merged main into this. Plus a couple of minor changes, please see my commits
Please add end2end tests. See test/
You'll need to enable sasl2, bind2, fast in our Prosody (see server/) somehow so that tests that make use of it can be added.
End to end tests can be run with make ci
packages/sasl2/lib/SASLError.js
Outdated
| } | ||
| } | ||
|
|
||
| module.exports = SASLError; |
There was a problem hiding this comment.
either this is different from SASLError or it uses the one from the @xmpp/saslerror package
There was a problem hiding this comment.
I don't see such a package?
There was a problem hiding this comment.
sorry I meant form the @xmpp/sasl package
packages/stream-features/route.js
Outdated
| if (!prevent && entity.jid) entity._status("online", entity.jid); | ||
| if (!prevent && entity.jid && entity.status !== "online") { | ||
| entity._status("online", entity.jid); | ||
| } |
There was a problem hiding this comment.
Added comment to explain: BIND2 inline handler may have already set to online, eg inline SM resum
packages/connection/index.js
Outdated
| if ( | ||
| this.socket.secure && | ||
| this.socket.secure() && | ||
| (this.streamFrom || this.jid) | ||
| ) { | ||
| headerElement.attrs.from = (this.streamFrom || this.jid).toString(); | ||
| } |
There was a problem hiding this comment.
added comment to explain:
When the stream is secure there is no leak to setting the stream from
This is suggested in general and in required for FAST implementations
in particular
|
@sonnyp: Thanks to work on this @singpolyma PR :) No details in description but supported XEPs in this PR:
@singpolyma: XEPs are up-to-date? It will be nice to add XEP supported versions (example: 1.0.0) to be listed correctly in xmpp.org and to update easily: |
|
Why removing the new sasl mechanism from browser? That's the main place I'm using it |
|
@sonnyp e2e tests added and they work locally and in CI (that one CI failure looks like a hiccup to me but I don't have permission to ask it to rerun I guess) |
|
@singpolyma: Have you tested with ejabberd? cc: @mremond. |
server/modules/mod_sasl2_bind2.lua
Outdated
| if csi_state_tag then | ||
| session.state = csi_state_tag.name; | ||
| end | ||
| end, 10); |
There was a problem hiding this comment.
aren't these available on prosody-trunk ?
I don't want to manage in tree prosody modules
There was a problem hiding this comment.
we could add the prosody modules repo as a submodule to server
There was a problem hiding this comment.
Prosody modules repo is in mercurial not git. Could document what modules are needed and install them with the plugin installer CI or something maybe if you object to having local copies of the ones we need.
| @@ -263,6 +263,9 @@ class Connection extends EventEmitter { | |||
| this.socket.secure() && | |||
| (this.streamFrom || this.jid) | |||
| ) { | |||
| // When the stream is secure there is no leak to setting the stream from | |||
There was a problem hiding this comment.
there is no leak to setting the stream from
Needs clarification
and a reference to the spec 🙏
There was a problem hiding this comment.
What kind of clarification would you like for that?
There was a problem hiding this comment.
Spec reference:
However, if the client knows the XMPP identity then it SHOULD include the 'from' attribute after the confidentiality and integrity of the stream are protected via TLS or an equivalent security layer.
https://www.rfc-editor.org/rfc/rfc6120.html#section-4.7.1
|
|
||
| Mechanism.prototype.response = (cred) => { | ||
| this.password = cred.password; | ||
| const hmac = createHmac("sha256", this.password); |
There was a problem hiding this comment.
shouldn't password and token be 2 different concepts?
There was a problem hiding this comment.
From the point of view of a sasl mechanism it's the same thing. It doesn't know if you're using a token or a password or what, it's just some shared secret string.
packages/connection/index.js
Outdated
| // This is suggested in general and in required for FAST implementations | ||
| // in particular |
There was a problem hiding this comment.
| // This is suggested in general and in required for FAST implementations | |
| // in particular | |
| // This is recommended in general and required for FAST implementations |
| if ( | ||
| this.socket.secure && | ||
| this.socket.secure() && | ||
| (this.streamFrom || this.jid) |
There was a problem hiding this comment.
why do we need a new streamFrom param?
There was a problem hiding this comment.
Because we want to set the from on initial connection, before the jid is otherwise known in a c2s case, so it must be provided by the caller. Setting the jid too early causes various parts of the library to assume we have done binding already since that is where that value comes from curretly.
|
Update on xmpp.js
Update on this PR
I'm now considering splitting this PR into multiple parts |
Depends on #1030