-
lovetox
im getting this error from an ejabberd on entering the wrong password
-
lovetox
The response provided by the client doesn't match the one we calculated
-
lovetox
seems to me like a awfully developer orientied text message
-
lovetox
hm no sorry its prosody of course, ejabberd usually has pretty good error text
-
lovetox
so is there consense what the text field of an error actually should contain?
-
lovetox
i know from history some server devs treat this like a debug string
-
defanor
I think providing such a message at all may be risky and unnecessary: as the RFC mentions, "In order to discourage directory harvest attacks, no differentiation is made between incorrect credentials and a nonexistent username.", while this points at incorrect credentials. Although even if it wasn't for a textual message, the number of challenges (with SCRAM, for instance) would give it up.
-
lovetox
i think you misinterpret that security recommendation
-
lovetox
its not recommend to send a message like "Password wrong" which means Username is correct, and so you can harvest users
-
lovetox
but it does not mean you cant send a message like "Incorrect Credentials" or "Username or Password wrong"
-
lovetox
which is exactly what every service i encountered does
-
lovetox
ha !
-
lovetox
and prosody handles that wrong, its possible to harvest usernames with the prosody sasl impl
-
defanor
Indeed, I was talking about Prosody's message. A non-informative textual message should be fine.
-
lovetox
it aborts after <auth> if the username is no known✎ -
lovetox
it aborts after <auth> if the username is not known ✏
-
lovetox
if it knows the username, it sends a challenge
-
flow
lovetox, i'd say that <text/> should be user exposable, while encouraging impls to put detailed debug messages into something like <debug-text/>
-
lovetox
flow iq allows only one child or not?
-
flow
so? subchild
-
lovetox
yeah k :)
-
lovetox
i also think it should be user exposable
-
lovetox
that does not mean that every user in the world must understand what that message means
-
flow
Only very few places in xmpp disallow stuffing another extension element somewhere
-
lovetox
but it should be something that a user can easily google or ask for
-
flow
yep
-
flow
but to not allienate the user, making to text not to technical may also be a good advise
-
lovetox
the standard is weird
-
lovetox
https://tools.ietf.org/html/rfc6120#section-6.5.10
-
lovetox
so not-authorized is allowed to be sent in response to <auth> and <response>
-
lovetox
if i send it in repsonse to <auth> its evident that the username is not existent
-
lovetox
because thats the only thing i send in a auth
-
flow
but you don't have to send it right after auth
-
flow
also, it is sasl mechanism specific what is send in auth
-
lovetox
yeah but i doubt any sever impl, now does a random challenge
-
lovetox
for a non existent user
-
lovetox
to fake it
-
lovetox
yeah im talking about PLAIN, and SCRAm
-
lovetox
scram also puts a bit more in the auth, but nothing that would trigger a not-autorized if i do it wrong
-
lovetox
hm after auth was successful
-
lovetox
and there is a stream restart, is there a order of events
-
lovetox
like must the server first send the new stream header
-
lovetox
or does it not matter and i can fire it even if i didnt yet receive the server stream header
-
raucao
hi. i requested to get an account for the wiki a while back and was told to wait for someone with admin privileges...
-
raucao
just wanted to check in again
-
pep.
raucao, hey, you should stick around. Not everybody with rights is there everywhere, and they need your email iirc
-
pep.
Ge0rG, Guus ^
-
raucao
oh, could it that there's no message archive for this room?
-
pep.
There is yeah but I don't know if everybody reads everything :)
-
pep.
(I think there is?)
-
raucao
looks like i have a hole in my history from when i wasn't joined
-
raucao
unless there weren't any messages for 7 days
-
raucao
ah, seeing the log link in the topic now. never mind
-
raucao
yeah, looks like MAM is not working for me in this room
-
raucao
(dino.im)
-
pep.
dino doesn't support muc mam
-
raucao
are you sure about that? i'm using it daily in many rooms
-
raucao
what would even be the difference between muc mam and just mam?
-
raucao
is it a different XEP than https://xmpp.org/extensions/xep-0313.html ?
-
pep.
muc mam is just mam on muc :)
-
pep.
And yes dino doesn't do that
-
pep.
it does normal muc history
-
raucao
certainly does not do "normal muc history". have that turned off in my rooms and using MAM
-
raucao
and dino works with it
-
raucao
unless i missed it not working for the last 12 months or so
-
raucao
normal history is just receiving a bunch of messages upon announcing presence, correct?
-
pep.
normal muc history is probably provided by your MAM module
-
raucao
https://github.com/dino/dino/wiki/Supported-XEPs
-
pep.
MUC join is you sending a join presence, you receiving all other occupants' presences, your receive a self presence, then you receive historical messages if there is any, then subject, then live messages
-
pep.
Ask in dino@ if you want
-
raucao
ok, well. i just told you that it works in all of the other many rooms i'm using and that i noticed it only for this room just now
-
raucao
but i'll ask there then
-
raucao
actually, nothing to ask for. i'll just check it myself
-
raucao
they clearly state that MAM is supported ,and they also have it as an option in the room menu
-
raucao
pep., are you using dino daily, or where does that knowledge come from?
-
pep.
"Message history" in the room details is muc history, not MAM
-
raucao
it's not message history
-
pep.
it is.
-
raucao
it's literally message archiving
-
larma
raucao, pep. is right, dino doesn't do MAM in MUCs (dino dev here)
-
larma
though if you didn't recognize yet, MUC history isn't that bad it seems 🙂
-
pep.
raucao, sorry I'm not trying to play you
-
raucao
so it lets you enable it but doesn't do it?
-
raucao
that's very not great
-
raucao
https://xmpp.kosmos.org:5443/upload/791c7ed148e453f934ef56e1a4acb79a30845f0f/Eu5C2s84i7IGyDNlMGd1W6YYwrRb1TBxaHlih8MH/Screenshot_from_2020-03-14_18-34-54.png
-
pep.
raucao, enable?
-
raucao
the room options
-
pep.
that's not MAM
-
raucao
for room settings
-
larma
The MUC configuration form is send from the server and just displayed by dino
-
pep.
That's confusing settings
-
raucao
message archiving is not message archiving?
-
pep.
(not dino's choice)
-
pep.
raucao, message archiving here is MUC history
-
raucao
waaat
-
raucao
guys
-
pep.
Ah wait
-
pep.
No, message archiving is MAM here, you're correct
-
raucao
of course it is
-
pep.
That doesn't mean dino fetches it
-
larma
raucao, servers can add arbitrary settings there, dino just displays them without knowing what they mean
-
raucao
we don't allow normal history on our server
-
Zash
MUC history is something you get when you join, unless you actively opt-out.
-
raucao
yes, i realize that it's the room setting
-
pep.
That's just options your servers passes you
-
raucao
i know
-
raucao
still abysmal ux to show that and then not support it
-
raucao
no matter where it comes from
-
raucao
so it must be my phone that keeps track of history
-
larma
raucao, I do agree to some extend, but it's hard to do anything against that
-
raucao
and me being usually joined in the rooms i use
-
raucao
larma: what's so hard about implementing mam?
-
raucao
that's the right thing to do
-
raucao
if it does it for normal conversations anyway
-
pep.
raucao, "what's so hard about .." is probably not the way to do :p
-
raucao
that's a question in response to someone saying it
-
raucao
> but it's hard to do anything against that
-
raucao
that's a valid question
-
raucao
if someone says it's hard
-
raucao
i'm genuinely interested in improving the situation
-
pep.
it's slightly different then normal MAM, you have to target a MUC. You also have to special case MUC-PMs I guess
-
raucao
because i'm highly technical, so if i run into this, then many people will
-
pep.
And.. privacy concerns don't apply at the same points
-
pep.
Though I guess that should be solved when configuring the MUC..
-
raucao
there are no privacy concerns for local archives
-
larma
a) it's hard to implement MAM, especially with MUCs b) it's hard to filter room settings to not display settings that could be confusing because they don't affect dino
-
pep.
raucao, "local"?
-
pep.
muc mam is stored on the muc
-
raucao
yes, but your local history is stored locally
-
raucao
what you mean is already the room setting
-
raucao
so you can choose it per room
-
raucao
larma: so it's not implemented at all? i understood what pep. said as it being implemented for 1:1 chats
-
raucao
and it's clearly listed in https://github.com/dino/dino/wiki/Supported-XEPs
-
larma
It is implemented for your local server which means it can and does fetch the history of 1:1 chats
-
raucao
so for MUCs it would have to ask the MUC server is the main difference, aside from slightly different message, due to sender being the muc jid, right?
-
raucao
i added a comment on https://github.com/dino/dino/wiki/Supported-XEPs
-
raucao
so it's clear for people looking at that
-
raucao
sry for being offtopic in here now. the conversations/dino setup works so well for me that i was certain it must have been implemented :)
-
larma
the complicated part about MAM is not fetching messages, it's about fetching the messages you need, keeping track which you already got etc
-
raucao
yes, but you already solved that
-
raucao
obviously
-
larma
it becomes more complicated if you have multiple data sources
-
raucao
you only have one, no? the muc server's source
-
larma
well for the sync process I have mine and all the MUCs I am joined to
-
raucao
yes, of course
-
raucao
but that's only one variable
-
larma
it's not *that* simple
-
larma
I am not saying we are not going to implement it
-
larma
it's on the todo for 0.2 😉
-
raucao
cool
-
larma
(but it took more than 3 years from 0.0 to 0.1, so not sure what that means)
-
larma
it's a requirement for reactions which is also planned for 0.2 😉
-
raucao
i would say it's a requirement for all usage of a modern chat app
-
raucao
message history is a basic feature, which users of other chat apps do expect IMO
-
raucao
not just 20 messages "xmpp history", but i mean seamless archives with no holes
-
larma
you still have the local history, so it's not like things don't work properly
-
raucao
local history doesn't give you missing messages
-
raucao
to me it's broken
-
larma
it's just that if the server does not provide the necessary muc history to give you the missing messages that you have missing messages
-
raucao
no server will give you 1000 messages
-
larma
that's probably why you didn't even notice yet that there is no MAM in MUCs
-
raucao
especially not as default config
-
raucao
for normal history
-
raucao
because it's wildly inefficient
-
larma
you also usually don't look back 1000 messages in a history
-
raucao
no, but more than 20 for sure
-
raucao
the reason i didn't notice is that i usually don't leave rooms
-
larma
I am not saying it's perfect, but it's good enough for many
-
larma
well, if you leave a room you don't get its messages
-
larma
you are not supposed to
-
raucao
i think that's a very counterproductive opinion if you wants users to switch from telegram et al
-
raucao
but you're entitled to it, of course
-
larma
if you leave a signal or whatsapp group and join again later, you won't be able to read the messages in between
-
raucao
i didn't say signal or whatsapp. those are usually not used with larger groups as chat channels
-
raucao
more like small group of friends
-
larma
same for IRC
-
raucao
hahaha
-
larma
or Matrix depending on channel configuration
-
raucao
saying it's as bad as IRC is not a good thing
-
raucao
discourse, slack, etc. are the competitors in this use case
-
larma
slack, the thing where you can only read the latest 5000 messages in the free version?
-
raucao
they all have seamless history, because otherwise you can't work with people properly
-
raucao
yes, that thing. people do pay for it. that should tell you that it's valuable to have the history
-
raucao
people literally pay money for chat history
-
raucao
it's hilarious, but that's proving how important it is for work
-
raucao
also gitter, mattermost, rocket.chat and all the other ones focused on public rooms
-
raucao
or work rooms
-
larma
I guess you miss my point. I am not saying we don't want to implement MAM in MUCs, just that there are many occations where it is not wanted the way you are envisioning it