-
zergling_man
I'm looking to set up an XMPP server with registration by application, as a simple anti-bot measure. I'm looking at XEP0077, it doesn't have anything obvious about "registration pending", should I just have it redirect and handle it elsewhere? I'm also intending to have a bypass for it where a certain value in the application will grant immediate acceptance (for anyone in the server's vicinity). I assume I can handle that with a bot or something, worst-case.
-
Licaon_Kter
A command line script can be an application too, not sure what you mean...
-
Zash
What if you build a request form of some sort, then hand out invite links (obligatory plug: https://blog.prosody.im/great-invitations/ ) after processing
-
Licaon_Kter
This ^^^
-
zergling_man
Yeah that.
-
zergling_man
I guess that's good enough. So I can't do it in-band?
-
Licaon_Kter
You can't block bots (or not that efficiently) with in-band, no
-
zergling_man
Fair enough. Thanks.
-
Zash
Anything is possible if you modify / write a plugin for the server
-
Zash
Not sure how potential users will react to waiting time tho. And how will you communicate their approval?
-
zergling_man
Wouldn't the client need to be able to handle that, though? That you submit a registration and it doesn't reject, per se.
-
zergling_man
>Not sure how potential users will react to waiting time tho Not my problem. >And how will you communicate their approval? ... I'll figure it out.
-
Zash
An anti-spam approach I think was discussed before is to allow the registration and let them sign in, but then limit what they can do with internal firewall rules.
-
zergling_man
Probably I'll just give them a key and it returns processing/accepted/rejected. Let them hit that page 1000 times a second or whatever.
-
Zash
At that point you can also send a message explaining that their account is pending review before it's fully enabled.
-
zergling_man
Hmm, I'm interested in that. Is there a document about it?
-
Zash
Not specifically. I'd imagine it as something you would build using https://modules.prosody.im/mod_firewall.html
-
zergling_man
I should still be able to get the custom data ("prove you're a human by writing a thesis on black holes" or w/e, but less easily pasta'd) during the registration directly, in that case, right?
-
Zash
zergling_man, https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/
-
Licaon_Kter
zergling_man: in Metronome dev Maranda has something interesting for gdpr compliance where server to server is blocked until user agrees, so doable...
-
zergling_man
I'm not familiar with either of those proper nouns, where can I read more about that?
-
Licaon_Kter
Umm which one? https://gdpr.eu/what-is-gdpr/ https://metronome.im/
-
zergling_man
Specifically about the blocking-until-agree bit. ... Seems metronome don't know how to build websites.
-
Licaon_Kter
zergling_man: https://github.com/maranda/metronome/blob/master/plugins/mod_gdpr.lua
-
zergling_man
Thanks
-
Maranda
zergling_man: if you enable verification in mod_register_api, all accounts registered, even using IBR, are put on hold until verified with a mail address. And if not verified within 5 minutes are deleted.
-
Maranda
(in Metronome)
-
Licaon_Kter
_Our messaging system is great, if you have an account on the other messaging system so we can verify you, because we trust the other system_
-
Maranda
Licaon_Kter as usual complain with who abuses
-
Maranda
for the requirement of OOB verification.
-
Licaon_Kter
True
-
bkil
Good points. For any constructive idea about how we could improve upon this, feel free to chime in via xmpp:mod-ideas@conference.movim.eu
-
Menel
xmpp:mod-ideas@conference.movim.eu?join
-
Sapotaceae
updated expat is in testing for fedora: sudo dnf update --enablerepo=*updates-testing expat
-
Licaon_Kter
Sapotaceae: has been in debian for a week, why the holdup? :)
-
zergling_man
So... I think I can do it with a single rule in mod_firewall that checks if it's a registration and it put the special code, then set user's role to approved. Default role gets no perms and admins can manually add approved role. Maybe could have a firewall rule that triggers on permission change to message the approved user, is that possible? If not I can just have a bot polling approvals list every few minutes and sending out welcome messages for anyone that's moved up.
-
MattJ
Huh. I forgot to mark the new role stuff in mod_firewall as requiring prosody trunk...
-
MattJ
Oh wait, maybe it doesn't? Due to mod_compat_roles. Not sure. Maybe ignore me 🙂