-
lovetox
hm can the new occupant id be used to identify messages from myself in a MUC?
-
lovetox
for example from another device of mine?
-
Zash
Quite possibly
-
lovetox
any server has already a impl for that xep?
-
Zash
There's a plugin for Prosody that's deployed in some places.
-
Zash
Or so I thought
-
Zash
lovetox: Enabled it on conference.prosody.im now if you want to test.
-
lovetox
thanks
-
lovetox
Zash and how is that implemented
-
lovetox
is it a hash of the full jid?
-
lovetox
so the server does not need to store anything?
-
Zash
Hash of JID + random value used as salt. The salt needs to be stored, but all the per-JID values can be computed and/or cached.
-
lovetox
if it can be computed its not random or?
-
lovetox
i dont get why the random value, something like sha256 should be good without anything added or not?
-
Zash
The salt is generated once and stored with the room (internal) config
-
lovetox
ah ok
-
lovetox
so different occupant id per room
-
Zash
`HMAC(Bare JID, Room Salt)`
-
Zash
Yes
-
Zash
https://hg.prosody.im/prosody-modules/file/ae27f3359df8/mod_muc_occupant_id/mod_muc_occupant_id.lua#l25
-
lovetox
why not take the room jid then?
-
lovetox
but ok does not matter at this point
-
lovetox
i guess room has many settings to be stored
-
lovetox
one more does not matter
-
lovetox
hm so this means i need to store my occupant id per room
-
Zash
I imagine computing it from room jid would make it possible to guess identities.
-
lovetox
and fun things happen if the server db is deleted
-
lovetox
and suddenly i have a new occupant-id
-
Zash
Yeah
-
lovetox
i probably should plan for that
-
lovetox
so i need to store a list of ids per room
-
Zash
https://xmpp.org/extensions/xep-0421.html#id-generation > a MUC service SHOULD generate the identifier such that the occupant identifier of a user in one room of the service does not match the occupant identifier of the same user in another room of the same service.
-
Zash
Some way to know that the salt got reset could be good
-
lovetox
you know when you get a new occupant id on join
-
Zash
True
-
Zash
And then all previous ids would be invalidated
-
lovetox
but i dont know if it was worth the added complexity
-
Zash
🤷
-
lovetox
sha(user jid + roomjid) should be secure enough for this use case
-
lovetox
i can deal with my own id
-
lovetox
but if the goal was to recognize other people, this is really propblematic✎ -
lovetox
but if the goal was to recognize other people, this is really problematic ✏
-
eta
lovetox: but then you can figure out whether a known jid is in the room
-
lovetox
true eta, didnt think about that
-
Zash
lovetox: What do you intend to use it for?
-
lovetox
Zash, im not sure yet, but this already tells me it can’t be anythin too serious
-
lovetox
my first idea was
-
lovetox
show last nicknames of a user
-
lovetox
and to be fair, server db reset is probably a major event, all rooms would be gone etc
-
Zash
I thought the main use case was having last message correction work from MAM, ie letting you know that the user doing a correction was the same as the one sending the original message
-
lovetox
does not happen too often probably
-
lovetox
Zash, a yes good usecase
-
lovetox
and it would not be bad if the occupant id changes
-
Zash
Hopefully it won't change just as someone corrects a typo...
-
lovetox
even if, the impact is not really big
-
lovetox
so one correction does not work, nothing a user will lose sleep over
-
Zash
Better than what happens now :)
-
Zash
And if your chat view has avatars then you could show the correct ones for historical messages.
-
lovetox
i could use the avatar hash as occupant id :D
-
lovetox
not a very good one though