jdev - 2024-04-28

  1. praveen

    hi can someone clarify about adding an SMS OTP 2FA auth for sign up https://github.com/monal-im/Monal/issues/565#issuecomment-2032017065

  2. praveen

    xep 0388 + fast tokens vs xep 0389, which one to choose

  3. singpolyma

    Is it just for signup or for log in?

  4. singpolyma

    For sign up it'll mean you can't use ibr anymore i suppose. In these cases I've been using a xep0060 with node of jabber:iq:register instead

  5. praveen

    sign up initially, it generates a random password for login

  6. singpolyma

    Right, so you *could* do fast only, or just random password as you say

  7. singpolyma

    The real trick is multi stage ibr replacement

  8. praveen

    isn't xep 0389 meant for this? any problems with it?

  9. singpolyma

    0389 doesn't seem to have a story about multi stage still AFAICT. So I'd probably stick with 0060

  10. MattJ

    0060? You mean 0077?

  11. singpolyma

    lol, no I mean 0050 off by one

  12. MattJ

    Ah right

  13. MattJ

    Pre-auth 0050?

  14. singpolyma

    yes. though multi stage also has problems with pre-auth generally if your connection dies before you complete the challenge

  15. singpolyma

    or https://xmpp.org/extensions/inbox/multistage-ibr.html but people *hated* that idea

  16. singpolyma

    in fact iirc the feedback to that xep was "just use 0050"

  17. praveen

    singpolyma, thanks, we will use xep 0050 - XEP-0050: Ad-Hoc Commands for this unless someone thinks xep 0389 can do it (at least Thilo thought it can fit).

  18. singpolyma

    You'll need to be careful about what happens if someone loses connection before completing the challenge

  19. singpolyma

    When they reconnect you won't know who they are unless you build a way

  20. singpolyma

    With Cheogram Android we've done a sort of hack where we give out severely limited JIDs to anyone but all they can do is 0050 against our onboarding. That way they can survive reconnects and we delete that temp jid when they're done. It's certainly not a flawless approach

  21. praveen

    But if this is a hacky approach, not every client supports, I wonder if this is very useful.

  22. singpolyma

    No client will support what you're proposing, sure

  23. praveen

    why is a sms or email verification for sign up still so non standard in xmpp though?

  24. singpolyma

    Because it hasn't been done yet 🙂

  25. singpolyma

    I'm glad you're working on this

  26. praveen

    but we will need at least some guidance to pick the right way

  27. singpolyma

    I wonder how quicksy does it

  28. praveen

    quicksy did a client side custom change

  29. singpolyma

    What protocol do they use for the registration though?

  30. singpolyma

    Doesbit start with ibr and transition to something else?

  31. singpolyma

    Does it start with ibr and transition to something else?

  32. praveen

    client makes an http api call to quicksy server

  33. singpolyma

    So totally oob, no ibr or xmpp part of the flow

  34. praveen

    quicksy server verifies otp and creates account via ejabberd api

  35. praveen

    xep 0389 looks promising, if we can add missing bits to it

  36. singpolyma

    Pre auth 0050 is pretty sensible I think except for this question of what to do it the app disconnects part way through

  37. singpolyma

    0389 didn't look like supported multi strge to me?

  38. singpolyma

    But maybe it's just not clear

  39. praveen

    lets see if anyone else has an idea about xep 0389

  40. singpolyma

    Anything with multi stage in pre auth will need to solve this what if they disconnect question

  41. singpolyma

    With 0050 you could solve it by having client remember the session id and using that as your cookie for example

  42. praveen

    if other clients are open to implementing 0050 based flow, that works, at least Monal is interested in 0389

  43. singpolyma

    Sure, I'd be curious to see if 0389 can even do what you want, and how it solves the disconnect problem if so

  44. praveen

    I asked a follow up question to Thilo, lets see what they thinks

  45. singpolyma

    Thilo will have this disconnect problem 100% of the time so it's not an edge casebfor them

  46. praveen

    would fast token solve this issue?

  47. praveen


  48. praveen

    May be we need to modify that to replace temporary jid with temporary token that can only be used to complete sign up?

  49. singpolyma

    Fast is for auth after you already have an acciunt