XMPP Service Operators - 2022-09-30

I'm looking to set up an XMPP server with registration by application, as a simple anti-bot measure. I'm looking at XEP0077, it doesn't have anything obvious about "registration pending", should I just have it redirect and handle it elsewhere? I'm also intending to have a bypass for it where a certain value in the application will grant immediate acceptance (for anyone in the server's vicinity). I assume I can handle that with a bot or something, worst-case.

A command line script can be an application too, not sure what you mean...

What if you build a request form of some sort, then hand out invite links (obligatory plug: https://blog.prosody.im/great-invitations/ ) after processing

This ^^^

Yeah that.

I guess that's good enough. So I can't do it in-band?

You can't block bots (or not that efficiently) with in-band, no

Fair enough. Thanks.

Anything is possible if you modify / write a plugin for the server

Not sure how potential users will react to waiting time tho. And how will you communicate their approval?

Wouldn't the client need to be able to handle that, though? That you submit a registration and it doesn't reject, per se.

>Not sure how potential users will react to waiting time tho Not my problem. >And how will you communicate their approval? ... I'll figure it out.

An anti-spam approach I think was discussed before is to allow the registration and let them sign in, but then limit what they can do with internal firewall rules.

Probably I'll just give them a key and it returns processing/accepted/rejected. Let them hit that page 1000 times a second or whatever.

At that point you can also send a message explaining that their account is pending review before it's fully enabled.

Hmm, I'm interested in that. Is there a document about it?

Not specifically. I'd imagine it as something you would build using https://modules.prosody.im/mod_firewall.html

I should still be able to get the custom data ("prove you're a human by writing a thesis on black holes" or w/e, but less easily pasta'd) during the registration directly, in that case, right?

zergling_man, https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/

zergling_man: in Metronome dev Maranda has something interesting for gdpr compliance where server to server is blocked until user agrees, so doable...

I'm not familiar with either of those proper nouns, where can I read more about that?

Umm which one? https://gdpr.eu/what-is-gdpr/ https://metronome.im/

Specifically about the blocking-until-agree bit. ... Seems metronome don't know how to build websites.

zergling_man: https://github.com/maranda/metronome/blob/master/plugins/mod_gdpr.lua

Thanks

zergling_man: if you enable verification in mod_register_api, all accounts registered, even using IBR, are put on hold until verified with a mail address. And if not verified within 5 minutes are deleted.

(in Metronome)

_Our messaging system is great, if you have an account on the other messaging system so we can verify you, because we trust the other system_

Licaon_Kter as usual complain with who abuses

for the requirement of OOB verification.

True

Good points. For any constructive idea about how we could improve upon this, feel free to chime in via xmpp:mod-ideas@conference.movim.eu

xmpp:mod-ideas@conference.movim.eu?join

updated expat is in testing for fedora: sudo dnf update --enablerepo=*updates-testing expat

Sapotaceae: has been in debian for a week, why the holdup? :)

So... I think I can do it with a single rule in mod_firewall that checks if it's a registration and it put the special code, then set user's role to approved. Default role gets no perms and admins can manually add approved role. Maybe could have a firewall rule that triggers on permission change to message the approved user, is that possible? If not I can just have a bot polling approvals list every few minutes and sending out welcome messages for anyone that's moved up.

Huh. I forgot to mark the new role stuff in mod_firewall as requiring prosody trunk...

Oh wait, maybe it doesn't? Due to mod_compat_roles. Not sure. Maybe ignore me 🙂