Mercurial > prosody-modules
diff mod_client_management/README.md @ 5650:0eb2d5ea2428
merge
author | Stephen Paul Weber <singpolyma@singpolyma.net> |
---|---|
date | Sat, 06 May 2023 19:40:23 -0500 |
parents | 7c123d3285de |
children | e9af6abf2b1e |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_client_management/README.md Sat May 06 19:40:23 2023 -0500 @@ -0,0 +1,146 @@ +--- +labels: +- Stage-Beta +summary: "Manage clients with access to your account" +rockspec: + dependencies: + - mod_sasl2_fast +--- + +This module allows a user to identify what currently has access to their +account. + +This module depends on [mod_sasl2_fast] and mod_tokenauth (bundled with +Prosody). Both will be automatically loaded if this module is loaded. + +## Configuration + +| Name | Description | Default | +|---------------------------|--------------------------------------------------------|-----------------| +| enforce_client_ids | Only allow SASL2-compatible clients | `false` | + +When `enforce_client_ids` is not enabled, the client listing may be less accurate due to legacy clients, +which can only be tracked by their resource, which is public information, not necessarily unique to a +client instance, and is also exposed to other XMPP entities the user communicates with. + +When `enforce_client_ids` is enabled, clients that don't support SASL2 and provide a client id will be +denied access. + +## Shell usage + +You can use this module via the Prosody shell. For example, to list a user's +clients: + +```shell +prosodyctl shell user clients user@example.com +``` + +## Compatibility + +Requires Prosody trunk (as of 2023-03-29). Not compatible with Prosody 0.12 +and earlier. + +## Developers + +### Protocol + +#### Listing clients + +To list clients that have access to the user's account, send the following +stanza: + +```xml +<iq id="p" type="get"> + <list xmlns="xmpp:prosody.im/protocol/manage-clients"/> +</iq> +``` + +The server will respond with a list of clients: + +```xml +<iq id="p" to="mattj-gajim@auth2.superxmpp.com/gajim.UYJKBHKT" type="result" xmlns="jabber:client"> + <clients xmlns="xmpp:prosody.im/protocol/manage-clients"> + <client connected="true" id="client/zeiP41HLglIu" type="session"> + <first-seen>2023-04-06T14:26:08Z</first-seen> + <last-seen>2023-04-06T14:37:25Z</last-seen> + <auth> + <password/> + </auth> + <user-agent> + <software>Gajim</software> + <uri>https://gajim.org/</uri> + <device>Juliet's laptop</device> + </user-agent> + </client> + <client connected="false" id="grant/HjEEr45_LQr" type="access"> + <first-seen>2023-03-27T15:16:09Z</first-seen> + <last-seen>2023-03-27T15:37:24Z</last-seen> + <user-agent> + <software>REST client</software> + </user-agent> + </client> + </clients> +</iq> +``` + +On the `<client/>` tag most things are self-explanatory. The following attributes +are defined: + +- 'connected': a boolean that reflects whether this client has an active session +on the server (i.e. this includes connected and "hibernating" sessions). +- 'id': an opaque reference for the client, which can be used to revoke access. +- 'type': either `"session"` if this client is known to have an active or inactive + client session on the server, or "access" if no session has been established (e.g. + it may have been granted access to the account, but only used non-XMPP APIs or + never logged in). + +The `<first-seen/>` and `<last-seen/>` elements contain timestamps that reflect +when a client was first granted access to the user's account, and when it most +recently used that access. For active sessions, it may reflect the current +time or the time of the last login. + +The `<user-agent/>` element contains information about the client software. It +may contain any of three optional child elements, each containing text content: + +- `<software/>` - the name of the software +- `<uri/>` - a URI/URL for the client, such as a homepage +- `<device/>` - a human-readable identifier/name for the device where the client + runs + +The `<auth/>` element lists the known authentication methods that the client +has used to gain access to the account. The following elements are defined: + +- `<password/>` - the client has presented a valid password +- `<grant/>` - the client has a valid authorization grant (e.g. via OAuth) +- `<fast/>` - the client has active FAST tokens + +#### Revoking access + +To revoke a client's access, send a `<revoke/>` element with an 'id' attribute +containing one of the client ids fetched from the list: + +```xml +<iq id="p" type="set"> + <revoke xmlns="xmpp:prosody.im/protocol/manage-clients" id="grant/HjEEr45_LQr" /> +</iq> +``` + +The server will respond with an empty result if the revocation succeeds: + +```xml +<iq id="p" type="result" /> +``` + +If the client has previously authenticated with a password, there is no way to +revoke access except by changing the user's password. If you request +revocation of such a client, the server will respond with a 'service-unavailable' +error, with the 'password-reset-required' application error: + +```xml +<iq id="p" type="error"> + <error type="cancel"> + <service-unavailable xmlns="xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'"> + <password-reset-required xmlns="xmpp:prosody.im/protocol/manage-clients"/> + </error> +</iq> +```