search

processone / ejabberd

Robust, Ubiquitous and Massively Scalable Messaging Platform (XMPP, MQTT, SIP Server)
https://www.process-one.net/en/ejabberd/
Other
6.01k stars 1.5k forks source link

mod_register: Deny in-band registration in a consistent way #4078

Open melvo opened 11 months ago

melvo commented 11 months ago

Is your feature request related to a problem? Please describe.

If access is set to none, in-band registrations are not allowed. But if it is set to an access_rule that denies the access, ejabberd announces IBR as a stream feature and clients receive IBR IQ stanzas even if they are not authenticated: <iq xml:lang='en' from='example.org' type='result' id='1'><query xmlns='jabber:iq:register'><username/><password/><instructions>Choose a username and password to register with this server</instructions></query></iq>

That results in clients displaying users an account wizard but after sending the completed fields, ejabberd responds with the <error type='auth'><forbidden xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>Access denied by service policy</text></error>.

Describe the solution you'd like

A solution could be to deny all unauthenticated actions. I.e., only actions such as password changes or account removals would be allowed after the user logged in. That would be more intuitive to admins. In addition, IBR should not be announced as a stream feature because that confuses clients.

Describe alternatives you've considered

Another solution could be to add explicit options allowing/denying registrations, password changes or account deletions.

melvo commented 11 months ago

@weiss This is the result of our discussion :)