-
darkijah
hello
-
darkijah
anyone there?
-
MattJ
@SCAM: FOSDEM call for stands is open, though hopefully nobody is actually relying on me to know that :)
-
flow
hmm, online stands?
-
MattJ
Yes, online stands
-
MattJ
I think it would be good to issue (as early as possible) a call for content from projects
-
MattJ
People may need time to prepare
-
Zash
How does an online stand even work?
-
SamWhited
Video chat with slides and the website shared?
-
antranigv
Is there any "reset password" standard?
-
antranigv
I was thinking of this: the user asks for "reset password", the server looks for emails in the VCard, and we send the "link", say via HTTP, OR a new password, to their specified email.
-
MattJ
I'm not aware of a standard for that, no. Also using the vCard is unwise because it's typically not verified (so a typo could grant someone else access to the account, etc.)
-
mathieui
would be nice to have a standard way of reaching the user as a service or admin though
-
MattJ
Also I may not want to publish an email but still have one registered, or I may want to use a different email for my account but publish a different public email address
-
mathieui
We often have to correlate the little data we have when we get a "lost password" request
-
MattJ
For Prosody I'm planning to work on verified email (and possibly phone number) support, which would help a lot with that
-
jonas’
:-O
-
SamWhited
It's not widely supported, but XEP-0389 handles password reset
-
MattJ
Ah yes
-
MattJ
So the future is hopeful :)
-
Ge0rG
SamWhited: by asking for an email during EIBR?
-
antranigv
MattJ, that would be nice, I run a mix of prosody and ejabberd, but the main jabber.am server is still prosody, and would love to see that.
-
SamWhited
Sure, that would be one way
-
SamWhited
You could also do it after registration. Eventually maybe define a URI to open the client and continue the reset process
-
Daniel
In some scenarios it might make sense to tie the account registration to SMS verification anyway.
-
SamWhited
(eIBR can also do that; really this is the use case I had in mind when I designed it :) )
-
Ge0rG
how do you get the URI after you lost your password?
-
Ge0rG
Daniel: how is quicksy going btw?
-
Daniel
Terribly
-
SamWhited
Ge0rG: eIBR works before login, so somewhere in your client you'd pick "I forgot my password" or something and it would just select the eIBR feature instead of the normal auth feature
-
Ge0rG
SamWhited: ah well, doing oob authentication during password reset is probably not the challenging part ;)
-
Ge0rG
I was looking into how to make the users define the oob channel in advance in a sensible way
-
SamWhited
Ge0rG: I guess I'm not sure what you mean? What is "define the oob channel?"
-
Ge0rG
SamWhited: a user needs to give an email address / phone number / avian carrier coordinates at some time, and the server needs to verify that
-
Ge0rG
it shouldn't be mandatory though
-
SamWhited
Ge0rG: if you're using eIBR you could use the dataform challenge and just ask for that stuff, or you could define your own more specific challenge if dataforms aren't desired
-
Daniel
Ge0rG: I think you need to transport the actual carrier, not the coordinates
-
Daniel
Like Mail it in or something
-
Zash
Ad-hoc command?
-
Ge0rG
SamWhited: well, passing an email during IBR has been a thing for seventeen years now
-
Ge0rG
I'm not sure if any server implementation will actually verify that email address
-
MattJ
Prosody doesn't, currently
-
SamWhited
Sure, how the server actually implements things is up to them
-
Ge0rG
Daniel: good point. I'm not sure if that's in scope for eIBR though
-
Ge0rG
intergrated IM solutions can do nifty things like https://developers.google.com/identity/sms-retriever/overview
-
dwd
We did a password reset system for a failed product at Surevine. Built around two SASL mechanisms, one for the "I forgot my password" bit, and a one-time reset code one to handle the "Click here to reset your password" link.
-
Maranda
Ge0rG: Metronome does, and also verify that the address is not a disposable one....
-
jonas’
Maranda, how do you verify that it’s not disposable? :)
-
Maranda
I pass the domain name to an external REST API which does that
-
Maranda
If it's catched as DEA it will invalid the registration
-
Ge0rG
> an external REST API That's how the internet works, right?
-
Maranda
Ge0rG: if you want you can implement your own thing, and collect the data required... Tbh I found it more convenient to let someone else do the latter, and since.. Yes most ppl use a REST API.
-
Maranda
😺
-
Ge0rG
Maranda: not criticizing you, I understand the trade-offs
-
mathieui
Oh non, those APIs are the bane of my existence since I use spamgourmet
-
Maranda
... Had to lookup the DB I use in the code because it's years I don't touch it. Anyways it's https://www.nameapi.org/
-
moparisthebest
If you are going to do it that's probably a fine way, but... Why prohibit disposable emails at all
-
mathieui
moparisthebest, because that’s what spammers use
-
Maranda
moparisthebest: they're used by spammers to circumvent verification
-
moparisthebest
Spammers set up their own domains no problem
-
SamWhited
Spammers generally don't like to set up their own domains because other providers use domain reputation and if you setup a new domain you don't have a positive reputation to help you land in peoples inboxes even though the contents of your message looked kind of spammy.
-
MattJ
You're right, it should be a simple whitelist of gmail.com, outlook.com, yahoo.com
-
Maranda
moparisthebest: once they become detected and listed, nameapi will block those as well
-
Maranda
They do several checks
-
Maranda
Not just DEA
-
Maranda
It served me well enough over the years
-
Zash
MattJ, make sure to whitelist their MX'es so everyone with custom domains aren't blocked!
-
moparisthebest
this is probably bad, I know SamWhited does Go XMPP stuff, anyone else? https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
-
jonas’
moparisthebest: oh my
-
moparisthebest
I'm not absolutely positive whether this is a deal breaker for XMPP or not , looks like attribute/element ordering isn't preserved
-
moparisthebest
it is "unfixable" at the moment so they just dropped it
-
Kev
I'm not sure it's a security vulnerability, but it's definitely not irrelevant, e.g. data forms.
-
Kev
Also Atom over pubsub, I guess.
-
moparisthebest
this is old but I just saw it today too, a case of bad XML comment parsing causing a major security bug in iOS https://siguza.github.io/psychicpaper/ / https://twitter.com/s1guza/status/1255641164885131268
-
moparisthebest
https://i.imgflip.com/4qcxj6.jpg