lovetoxim getting this error from an ejabberd on entering the wrong password
lovetoxThe response provided by the client doesn't match the one we calculated
lovetoxseems to me like a awfully developer orientied text message
lovetoxhm no sorry its prosody of course, ejabberd usually has pretty good error text
lovetoxso is there consense what the text field of an error actually should contain?
lovetoxi know from history some server devs treat this like a debug string
defanorI think providing such a message at all may be risky and unnecessary: as the RFC mentions, "In order to discourage directory harvest attacks, no differentiation is made between incorrect credentials and a nonexistent username.", while this points at incorrect credentials. Although even if it wasn't for a textual message, the number of challenges (with SCRAM, for instance) would give it up.
lovetoxi think you misinterpret that security recommendation
lovetoxits not recommend to send a message like "Password wrong" which means Username is correct, and so you can harvest users
lovetoxbut it does not mean you cant send a message like "Incorrect Credentials" or "Username or Password wrong"
lovetoxwhich is exactly what every service i encountered does
lovetoxand prosody handles that wrong, its possible to harvest usernames with the prosody sasl impl
defanorIndeed, I was talking about Prosody's message. A non-informative textual message should be fine.
lovetoxit aborts after <auth> if the username is no known
lovetoxit aborts after <auth> if the username is not known
lovetoxif it knows the username, it sends a challenge
flowlovetox, i'd say that <text/> should be user exposable, while encouraging impls to put detailed debug messages into something like <debug-text/>
lovetoxflow iq allows only one child or not?
lovetoxyeah k :)
lovetoxi also think it should be user exposable
lovetoxthat does not mean that every user in the world must understand what that message means
flowOnly very few places in xmpp disallow stuffing another extension element somewhere
lovetoxbut it should be something that a user can easily google or ask for
flowbut to not allienate the user, making to text not to technical may also be a good advise
pep.MUC join is you sending a join presence, you receiving all other occupants' presences, your receive a self presence, then you receive historical messages if there is any, then subject, then live messages
pep.Ask in dino@ if you want
raucaook, well. i just told you that it works in all of the other many rooms i'm using and that i noticed it only for this room just now
raucaobut i'll ask there then
raucaoactually, nothing to ask for. i'll just check it myself
raucaothey clearly state that MAM is supported ,and they also have it as an option in the room menu
raucaopep., are you using dino daily, or where does that knowledge come from?
pep."Message history" in the room details is muc history, not MAM
raucaoit's not message history
raucaoit's literally message archiving
larmaraucao, pep. is right, dino doesn't do MAM in MUCs (dino dev here)
larmathough if you didn't recognize yet, MUC history isn't that bad it seems 🙂