changeset 2161:95a9f2d234da

Add mod_http_roster_admin
author JC Brand <jc@opkode.com>
date Fri, 15 Apr 2016 16:59:27 +0000
parents 394a62163a91
children f1ea8044f9f8 4b58e35a72e0 126d79bf079b
files mod_http_roster_admin/LICENSE mod_http_roster_admin/README mod_http_roster_admin/mod_http_roster_admin.lua
diffstat 3 files changed, 761 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_http_roster_admin/LICENSE	Fri Apr 15 16:59:27 2016 +0000
@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in 
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_http_roster_admin/README	Fri Apr 15 16:59:27 2016 +0000
@@ -0,0 +1,91 @@
+mod_http_roster_admin
+=====================
+
+NOTE: THIS MODULE IS RELEASED UNDER THE MOZILLA PUBLIC LICENSE VERSION 2.
+
+Normally the XMPP server will store and maintain the users' contact
+rosters. This module lets you delegate roster management to an external
+service.
+
+Prosody will make an HTTP request to fetch the roster from the external
+service. The service will need to notify Prosody whenever a user's roster
+changes, so that Prosody can fetch a new roster for that user.
+
+Configuring this module
+-----------------------
+
+This module relies on `mod_storage_memory` and `mod_block_subscriptions`.
+
+In `.parts/prosody/etc/prosody/prosody.cfg.lua`, where your particular
+`VirtualHost` is being configured, add the following:
+
+    modules_enabled = {
+        "http_roster_admin",
+        "block_subscriptions",
+        "storage_memory",
+        "http_files"
+    }
+    modules_disabled = {
+         -- Prosody will get the roster from the backend app,
+         -- so we disable the default roster module.
+        "roster"
+    }
+    storage = { roster = "memory" }
+    http_roster_url = "http://localhost/contacts/%s" -- %s will be replaced by an URL-encoded username
+
+The `http_roster_url` parameter needs to be configured to point to the
+URL in the backend application which returns users' contacts rosters.
+
+In this URL, the pattern `%s` is replaced by an URL-encoded username.
+
+When the user *john* then connects to Prosody, and `http_roster_url` is
+set to “http://app.example.org/contacts/%s”, then Prosody will make a
+GET request to http://app.example.org/contacts/john
+
+Notifying Prosody of roster changes
+***********************************
+
+The external service needs to notify Prosody whenever a user's roster
+changes. To do this, it must make an HTTP POST request to either:
+
+* http://localhost:5280/roster_admin/refresh
+* https://localhost:5281/roster_admin/refresh
+
+Make sure that the "http_files" module is enabled in Prosody's configuration,
+for the above URLs to served.
+
+Ports 5280/5281 can be firewalled and the web server (i.e. Apache or Nginx)
+can be configured to reverse proxy those URLs to for example
+https://example.org/http-bind.
+
+The contents of the POST should be a JSON encoded array of usernames whose
+rosters have changed.
+
+For example, if user ‘john’ became friends with ‘aaron’, both john’s
+contact list and aaron’s contact lists have changed:
+
+```
+    ["john", "aaron"]
+```
+
+When the operation is complete Prosody will reply with a summary of the
+operation - a JSON object containing:
+
+* **status**: either “ok” (success) or “error” (operation completely failed)
+* **message**: A human-readable message (for logging and debugging purposes)
+* **updated**: The number of rosters successfully updated
+* **errors**: The number of rosters that failed to update
+
+Example:
+
+```
+    {
+        "status":  "ok",
+        "message": "roster update complete",
+        "updated": 2,
+        "errors":  0
+    }
+```
+
+Prosody may also return status codes `400` or `500` in case of errors (such
+as a missing/malformed body).
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_http_roster_admin/mod_http_roster_admin.lua	Fri Apr 15 16:59:27 2016 +0000
@@ -0,0 +1,297 @@
+-- mod_http_roster_admin
+-- Description: Allow user rosters to be sourced from a remote HTTP API
+--
+-- Version: 1.0
+-- Date: 2015-03-06
+-- Author: Matthew Wild <matthew@prosody.im>
+-- License: MPLv2
+--
+-- Requirements:
+--   Prosody config:
+--     storage = { roster = "memory" }
+--     modules_disabled = { "roster" }
+--   Dependencies:
+--     Prosody 0.9
+--     lua-cjson (Debian/Ubuntu/LuaRocks: lua-cjson)
+
+local http = require "net.http";
+local json = require "cjson";
+local it = require "util.iterators";
+local set = require "util.set";
+local rm = require "core.rostermanager";
+local st = require "util.stanza";
+local array = require "util.array";
+
+local host = module.host;
+local sessions = hosts[host].sessions;
+
+local roster_url = module:get_option_string("http_roster_url", "http://localhost/%s");
+
+-- Send a roster push to the named user, with the given roster, for the specified
+-- contact's roster entry. Used to notify clients of changes/removals.
+local function roster_push(username, roster, contact_jid)
+	local stanza = st.iq({type="set"})
+		:tag("query", {xmlns = "jabber:iq:roster" });
+	local item = roster[contact_jid];
+	if item then
+		stanza:tag("item", {jid = contact_jid, subscription = item.subscription, name = item.name, ask = item.ask});
+		for group in pairs(item.groups) do
+			stanza:tag("group"):text(group):up();
+		end
+	else
+		stanza:tag("item", {jid = contact_jid, subscription = "remove"});
+	end
+	stanza:up():up(); -- move out from item
+	for _, session in pairs(hosts[host].sessions[username].sessions) do
+		if session.interested then
+			session.send(stanza);
+		end
+	end
+end
+
+-- Send latest presence from the named local user to a contact.
+local function send_presence(username, contact_jid, available)
+	module:log("debug", "Sending %savailable presence from %s to contact %s", (available and "" or "un"), username, contact_jid);
+	for resource, session in pairs(sessions[username].sessions) do
+		local pres;
+		if available then
+			pres = st.clone(session.presence);
+			pres.attr.to = contact_jid;
+		else
+			pres = st.presence({ to = contact_jid, from = session.full_jid, type = "unavailable" });
+		end
+		module:send(pres);
+	end
+end
+
+-- Converts a 'friend' object from the API to a Prosody roster item object
+local function friend_to_roster_item(friend)
+	return {
+		name = friend.name;
+		subscription = "both";
+		groups = friend.groups or {};
+	};
+end
+
+-- Returns a handler function to consume the data returned from
+-- the API, compare it to the user's current roster, and perform
+-- any actions necessary (roster pushes, presence probes) to
+-- synchronize them.
+local function updated_friends_handler(username, cb)
+	return (function (ok, code, friends)
+		if not ok then
+			cb(false, code);
+		end
+		local user = sessions[username];
+		local roster = user.roster;
+		local old_contacts = set.new(array.collect(it.keys(roster)));
+		local new_contacts = set.new(array.collect(it.keys(friends)));
+		
+		-- These two entries are not real contacts, ignore them
+		old_contacts:remove(false);
+		old_contacts:remove("pending");
+		
+		module:log("debug", "New friends list of %s: %s", username, json.encode(friends));
+		
+		-- Calculate which contacts have been added/removed since
+		-- the last time we fetched the roster
+		local added_contacts = new_contacts - old_contacts;
+		local removed_contacts = old_contacts - new_contacts;
+		
+		local added, removed = 0, 0;
+		
+		-- Add new contacts and notify connected clients
+		for contact_jid in added_contacts do
+			module:log("debug", "Processing new friend of %s: %s", username, contact_jid);
+			roster[contact_jid] = friend_to_roster_item(friends[contact_jid]);
+			roster_push(username, roster, contact_jid);
+			send_presence(username, contact_jid, true);
+			added = added + 1;
+		end
+		
+		-- Remove contacts and notify connected clients
+		for contact_jid in removed_contacts do
+			module:log("debug", "Processing removed friend of %s: %s", username, contact_jid);
+			roster[contact_jid] = nil;
+			roster_push(username, roster, contact_jid);
+			send_presence(username, contact_jid, false);
+			removed = removed + 1;
+		end
+		module:log("debug", "User %s: added %d new contacts, removed %d contacts", username, added, removed);
+		cb(true);
+	end);
+end
+
+-- Fetch the named user's roster from the API, call callback (cb)
+-- with status and result (friends list) when received.
+function fetch_roster(username, cb)
+    local x = {headers = {}};
+    x["headers"]["ACCEPT"] = "application/json, text/plain, */*";
+	local ok, err = http.request(
+        roster_url:format(username),
+        x,
+        function (roster_data, code)
+            if code ~= 200 then
+                if code ~= 0 then
+                    module:log("error", "Error fetching roster from %s (code %d): %s", roster_url:format(username), code, tostring(roster_data):sub(1, 40):match("^[^\r\n]+"));
+                    cb(nil, code, roster_data);
+                end
+                return;
+            end
+        module:log("debug", "Successfully fetched roster for %s", username);
+        module:log("debug", "The roster data is %s", roster_data);
+        cb(true, code, json.decode(roster_data));
+	end);
+	if not ok then
+		module:log("error", "Failed to connect to roster API at %s: %s", roster_url:format(username), err);
+		cb(false, 0, err);
+	end
+end
+
+-- Fetch the named user's roster from the API, synchronize it with
+-- the user's current roster. Notify callback (cb) with true/false
+-- depending on success or failure.
+function refresh_roster(username, cb)
+	local user = sessions[username];
+	if not (user and user.roster) then
+		module:log("debug", "User's (%q) roster updated, but they are not online - ignoring", username);
+		cb(true);
+		return;
+	end
+	fetch_roster(username, updated_friends_handler(username, cb));
+end
+
+--- Roster protocol handling ---
+
+-- Build a reply to a "roster get" request
+local function build_roster_reply(stanza, roster_data)
+	local roster = st.reply(stanza)
+		:tag("query", { xmlns = "jabber:iq:roster" });
+
+	for jid, item in pairs(roster_data) do
+		if jid and jid ~= "pending" then
+			roster:tag("item", {
+				jid = jid,
+				subscription = item.subscription,
+				ask = item.ask,
+				name = item.name,
+			});
+			for group in pairs(item.groups) do
+				roster:tag("group"):text(group):up();
+			end
+			roster:up(); -- move out from item
+		end
+	end
+	return roster;
+end
+
+-- Handle clients requesting their roster (generally at login)
+-- This will not work if mod_roster is loaded (in 0.9).
+module:hook("iq-get/self/jabber:iq:roster:query", function(event)
+	local session, stanza = event.origin, event.stanza;
+
+	session.interested = true; -- resource is interested in roster updates
+
+	local roster = session.roster;
+	if roster[false].downloaded then
+		return session.send(build_roster_reply(stanza, roster));
+	end
+
+	-- It's possible that we can call this more than once for a new roster
+	-- Should happen rarely (multiple clients of the same user request the
+	-- roster in the time it takes the API to respond). Currently we just
+	-- issue multiple requests, as it's harmless apart from the wasted
+	-- requests.
+	fetch_roster(session.username, function (ok, code, friends)
+		if not ok then
+			session.send(st.error_reply(stanza, "cancel", "internal-server-error"));
+			session:close("internal-server-error");
+			return;
+		end
+		
+		-- Are we the first callback to handle the downloaded roster?
+		local first = roster[false].downloaded == nil;
+		
+		if first then
+			-- Fill out new roster
+			for jid, friend in pairs(friends) do
+				roster[jid] = friend_to_roster_item(friend);
+			end
+		end
+		
+		-- Send full roster to client
+		session.send(build_roster_reply(stanza, roster));
+
+		if not first then
+			-- We already had a roster, make sure to handle any changes...
+			updated_friends_handler(session.username, nil)(ok, code, friends);
+		end
+	end);
+
+	return true;
+end);
+
+-- Prevent client from making changes to the roster. This will not
+-- work if mod_roster is loaded (in 0.9).
+module:hook("iq-set/self/jabber:iq:roster:query", function(event)
+	local session, stanza = event.origin, event.stanza;
+	return session.send(st.error_reply(stanza, "cancel", "service-unavailable"));
+end);
+
+--- HTTP endpoint to trigger roster refresh ---
+
+-- Handles updating for a single user: GET /roster_admin/refresh/USERNAME
+function handle_refresh_single(event, username)
+	refresh_roster(username, function (ok, code, err)
+		event.response.headers["Content-Type"] = "application/json";
+		event.response:send(json.encode({
+			status = ok and "ok" or "error";
+			message = err or "roster update complete";
+		}));
+	end);
+	return true;
+end
+
+-- Handles updating for multiple users: POST /roster_admin/refresh
+-- Payload should be a JSON array of usernames, e.g. ["user1", "user2", "user3"]
+function handle_refresh_multi(event)
+	local users = json.decode(event.request.body);
+	if not users then
+		module:log("warn", "Multi-user refresh attempted with missing/invalid payload");
+		event.response:send(400);
+		return true;
+	end
+	
+	local count, count_err = 0, 0;
+	
+	local function cb(ok)
+		count = count + 1;
+		if not ok then
+			count_err = count_err + 1;
+		end
+		
+		if count == #users then
+			event.response.headers["Content-Type"] = "application/json";
+			event.response:send(json.encode({
+				status = "ok";
+				message = "roster update complete";
+				updated = count - count_err;
+				errors = count_err;
+			}));
+		end
+	end
+	
+	for _, username in ipairs(users) do
+		refresh_roster(username, cb);
+	end
+	
+	return true;
+end
+
+
+module:provides("http", {
+	route = {
+		["POST /refresh"] = handle_refresh_multi;
+		["GET /refresh/*"] = handle_refresh_single;
+	};
+});