jdev - 2020-08-01

hm can the new occupant id be used to identify messages from myself in a MUC?

for example from another device of mine?

Quite possibly

any server has already a impl for that xep?

There's a plugin for Prosody that's deployed in some places.

Or so I thought

lovetox: Enabled it on conference.prosody.im now if you want to test.

thanks

Zash and how is that implemented

is it a hash of the full jid?

so the server does not need to store anything?

Hash of JID + random value used as salt. The salt needs to be stored, but all the per-JID values can be computed and/or cached.

if it can be computed its not random or?

i dont get why the random value, something like sha256 should be good without anything added or not?

The salt is generated once and stored with the room (internal) config

ah ok

so different occupant id per room

`HMAC(Bare JID, Room Salt)`

Yes

https://hg.prosody.im/prosody-modules/file/ae27f3359df8/mod_muc_occupant_id/mod_muc_occupant_id.lua#l25

why not take the room jid then?

but ok does not matter at this point

i guess room has many settings to be stored

one more does not matter

hm so this means i need to store my occupant id per room

I imagine computing it from room jid would make it possible to guess identities.

and fun things happen if the server db is deleted

and suddenly i have a new occupant-id

Yeah

i probably should plan for that

so i need to store a list of ids per room

https://xmpp.org/extensions/xep-0421.html#id-generation > a MUC service SHOULD generate the identifier such that the occupant identifier of a user in one room of the service does not match the occupant identifier of the same user in another room of the same service.

Some way to know that the salt got reset could be good

you know when you get a new occupant id on join

True

And then all previous ids would be invalidated

but i dont know if it was worth the added complexity

🤷

sha(user jid + roomjid) should be secure enough for this use case

i can deal with my own id

but if the goal was to recognize other people, this is really problematic ✏

lovetox: but then you can figure out whether a known jid is in the room

true eta, didnt think about that

lovetox: What do you intend to use it for?

Zash, im not sure yet, but this already tells me it can’t be anythin too serious

my first idea was

show last nicknames of a user

and to be fair, server db reset is probably a major event, all rooms would be gone etc

I thought the main use case was having last message correction work from MAM, ie letting you know that the user doing a correction was the same as the one sending the original message

does not happen too often probably

Zash, a yes good usecase

and it would not be bad if the occupant id changes

Hopefully it won't change just as someone corrects a typo...

even if, the impact is not really big

so one correction does not work, nothing a user will lose sleep over

Better than what happens now :)

And if your chat view has avatars then you could show the correct ones for historical messages.

i could use the avatar hash as occupant id :D

not a very good one though