XMPP Service Operators - 2022-09-30

  1. zergling_man

    I'm looking to set up an XMPP server with registration by application, as a simple anti-bot measure. I'm looking at XEP0077, it doesn't have anything obvious about "registration pending", should I just have it redirect and handle it elsewhere? I'm also intending to have a bypass for it where a certain value in the application will grant immediate acceptance (for anyone in the server's vicinity). I assume I can handle that with a bot or something, worst-case.

  2. Licaon_Kter

    A command line script can be an application too, not sure what you mean...

  3. Zash

    What if you build a request form of some sort, then hand out invite links (obligatory plug: https://blog.prosody.im/great-invitations/ ) after processing

  4. Licaon_Kter

    This ^^^

  5. zergling_man

    Yeah that.

  6. zergling_man

    I guess that's good enough. So I can't do it in-band?

  7. Licaon_Kter

    You can't block bots (or not that efficiently) with in-band, no

  8. zergling_man

    Fair enough. Thanks.

  9. Zash

    Anything is possible if you modify / write a plugin for the server

  10. Zash

    Not sure how potential users will react to waiting time tho. And how will you communicate their approval?

  11. zergling_man

    Wouldn't the client need to be able to handle that, though? That you submit a registration and it doesn't reject, per se.

  12. zergling_man

    >Not sure how potential users will react to waiting time tho Not my problem. >And how will you communicate their approval? ... I'll figure it out.

  13. Zash

    An anti-spam approach I think was discussed before is to allow the registration and let them sign in, but then limit what they can do with internal firewall rules.

  14. zergling_man

    Probably I'll just give them a key and it returns processing/accepted/rejected. Let them hit that page 1000 times a second or whatever.

  15. Zash

    At that point you can also send a message explaining that their account is pending review before it's fully enabled.

  16. zergling_man

    Hmm, I'm interested in that. Is there a document about it?

  17. Zash

    Not specifically. I'd imagine it as something you would build using https://modules.prosody.im/mod_firewall.html

  18. zergling_man

    I should still be able to get the custom data ("prove you're a human by writing a thesis on black holes" or w/e, but less easily pasta'd) during the registration directly, in that case, right?

  19. Zash

    zergling_man, https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/

  20. Licaon_Kter

    zergling_man: in Metronome dev Maranda has something interesting for gdpr compliance where server to server is blocked until user agrees, so doable...

  21. zergling_man

    I'm not familiar with either of those proper nouns, where can I read more about that?

  22. Licaon_Kter

    Umm which one? https://gdpr.eu/what-is-gdpr/ https://metronome.im/

  23. zergling_man

    Specifically about the blocking-until-agree bit. ... Seems metronome don't know how to build websites.

  24. Licaon_Kter

    zergling_man: https://github.com/maranda/metronome/blob/master/plugins/mod_gdpr.lua

  25. zergling_man


  26. Maranda

    zergling_man: if you enable verification in mod_register_api, all accounts registered, even using IBR, are put on hold until verified with a mail address. And if not verified within 5 minutes are deleted.

  27. Maranda

    (in Metronome)

  28. Licaon_Kter

    _Our messaging system is great, if you have an account on the other messaging system so we can verify you, because we trust the other system_

  29. Maranda

    Licaon_Kter as usual complain with who abuses

  30. Maranda

    for the requirement of OOB verification.

  31. Licaon_Kter


  32. bkil

    Good points. For any constructive idea about how we could improve upon this, feel free to chime in via xmpp:mod-ideas@conference.movim.eu

  33. Menel


  34. Sapotaceae

    updated expat is in testing for fedora: sudo dnf update --enablerepo=*updates-testing expat

  35. Licaon_Kter

    Sapotaceae: has been in debian for a week, why the holdup? :)

  36. zergling_man

    So... I think I can do it with a single rule in mod_firewall that checks if it's a registration and it put the special code, then set user's role to approved. Default role gets no perms and admins can manually add approved role. Maybe could have a firewall rule that triggers on permission change to message the approved user, is that possible? If not I can just have a bot polling approvals list every few minutes and sending out welcome messages for anyone that's moved up.

  37. MattJ

    Huh. I forgot to mark the new role stuff in mod_firewall as requiring prosody trunk...

  38. MattJ

    Oh wait, maybe it doesn't? Due to mod_compat_roles. Not sure. Maybe ignore me 🙂