Mercurial > prosody-modules
view mod_invites_tracking/README.md @ 5404:1087f697c3f3
mod_http_oauth2: Strip unknown extra fields from client registration
We shouldn't sign things we don't understand!
RFC 7591 section-2 states:
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
Prevents grandfathering in of unvalidated data that might become used
later, especially since the 'additionalProperties' schema keyword was
removed in 698fef74ce53
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 02 May 2023 16:23:40 +0200 |
| parents | 32f1f18f4874 |
| children |
line wrap: on
line source
--- labels: - 'Stage-Alpha' summary: 'Store who created the invite to create a user account' ... Introduction ============ Invites are an intermediate way between opening registrations completely and closing registrations completely. By letting users invite other users to the server, an administrator exposes themselves again to the risk of abuse. To combat that abuse more effectively, this module allows to store (outside of the user’s information) who created an invite which was used to create the user’s account. Details ======= Add to `modules_enabled`. Caveats ======= - The information is not deleted even when the associated user accounts are deleted. - Currently, there is no way to make any use of that information.