[WIP] Support SASL2 FAST authentication #839
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kousu
added a commit
to kousu/converse.js
that referenced
this pull request
May 31, 2025
kousu
added a commit
to kousu/converse.js
that referenced
this pull request
May 31, 2025
Demodemo1.mp4demo2.mp4demo3.mp4demo4.mp4TestingHere's how I've been testing: On prosody, you need to enable the community repository and add these modules to your config: I also made heavy use of I haven't tested with ejabberd. And come to think of it I haven't tested with websockets or BOSH proxies either. But give it a shot and let me know what you think! And especially I could use some advice on code organization. |
FAST is a cookie-style authentication method that lets clients store and auth with an unguesseable token. It enables clients to forget the user's full password, which is especially important for web-based clients, that are prone to data leaks. Leaked tokens can be invalidated. - https://xmpp.org/extensions/xep-0484.html - https://xmpp.org/extensions/xep-0388.html Very messy, but I'm sharing for feedback. Intended to fix conversejs/converse.js#3144 Some aside changes I needed for this: - I let handlers listen to the *opening* stanza - Set 'from' on the opening <stream> tag. (ref: https://github.com/xmppjs/xmpp.js/pull/1006/files#r1893267922) - Create a new handler type (I know, I know) that can search *nested data*. This made setting up listeners a lot more convenient. - Rearrange - During connection, replaced has_features with the direct XML element ?. liberally. That seems more direct and defensive. - Moved Status.AUTHENTICATING before FAST/SASL I think the SASL negotiation logic can be cleaned up a lot, It could handle fallback through all the methods, instead of needing awkward special cases for FAST. Allowing handlers to hear the opening stanza means, I am pretty sure, all of SASL2 can become an event-driven plugin, and maybe all of SASL1. Things that are bad: - too much copy-pasting - the SASL negotiation is brittle and only tries one thing, except for FAST which is bodged in - saving/loading the FAST tokens is to be defined I coded something directly in here but really clients need to be making that decision (xmpp.js provided overridable methods to fill with localStorage or a cookie or something) - similarly, saving/loading the **user-agent ID** is left undefined. The tokens are pinned to each user agent, so you can't just pick one at connect, you have to cache it somewhere. - NSHandler was a whim of fancy. It should probably be backed out. Allowing searching for *nested* namespaces/tags (which most other xmpp libraries do?) tidies the code a lot, but I recognize it's offtopic, and there are more verbose ways to achieve FAST without them. - websocket checks for 'secure' before sending 'from', but bosh doesn't yet. - support the other HT- methods from the spec - pull SASL2 into sasl2.js and make it a plugin - load fast.js as a proper plugin instead of importing it in index.js. I did this for testing, so I wouldn't have to mess around too much with ConverseJS. - Needs to disentangle the circular dependencies between a plugin and code that needs to run during the early boot.
|
Superseded by #840 :) |
kousu
added a commit
to kousu/converse.js
that referenced
this pull request
Jun 9, 2025
Also clean up FAST *and* SCRAM keys on log out; otherwise, the credentials are still in the browser, and could be stolen, or reused simply by someone who knows to redefined conversejs-session-jid in localStorage. Depends on strophe/strophejs#839 TODO: * [ ] This *renames* reuse_scram_keys to reuse_keys to cover both FAST and SCRAM, so it should probably get a backwards-compatibility shim for the old name. * [ ] Drop my development environment edit to package.json (without there's no way to test because both repos need to be in sync)
kousu
added a commit
to kousu/converse.js
that referenced
this pull request
Jun 9, 2025
Also clean up FAST *and* SCRAM keys on log out; otherwise, the credentials are still in the browser, and could be stolen, or reused simply by someone who knows to redefined conversejs-session-jid in localStorage. Depends on strophe/strophejs#839 TODO: * [ ] This *renames* reuse_scram_keys to reuse_keys to cover both FAST and SCRAM, so it should probably get a backwards-compatibility shim for the old name. * [ ] Drop my development environment edit to package.json (without there's no way to test because both repos need to be in sync)
5 tasks
kousu
added a commit
to kousu/converse.js
that referenced
this pull request
Jun 9, 2025
Also clean up FAST *and* SCRAM keys on log out; otherwise, the credentials are still in the browser, and could be stolen, or reused simply by someone who knows to redefined conversejs-session-jid in localStorage. Depends on strophe/strophejs#839 TODO: * [ ] This *renames* reuse_scram_keys to reuse_keys to cover both FAST and SCRAM, so it should probably get a backwards-compatibility shim for the old name. * [ ] Drop my development environment edit to package.json (without there's no way to test because both repos need to be in sync)
kousu
added a commit
to kousu/converse.js
that referenced
this pull request
Jun 10, 2025
Also clean up FAST *and* SCRAM keys on log out; otherwise, the credentials are still in the browser, and could be stolen, or reused simply by someone who knows to redefined conversejs-session-jid in localStorage. Depends on strophe/strophejs#839 TODO: * [ ] This *renames* reuse_scram_keys to reuse_keys to cover both FAST and SCRAM, so it should probably get a backwards-compatibility shim for the old name. * [ ] Drop my development environment edit to package.json (without there's no way to test because both repos need to be in sync)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
FAST is a cookie-style authentication method that
lets clients store and auth with an unguesseable token. It enables clients to forget the user's full password, which is especially important for web-based clients, that are prone to data leaks. Leaked tokens can be invalidated.
Very messy, but I'm sharing for feedback.
Intended to fix conversejs/converse.js#3144
Some aside changes I needed for this:
I think the SASL negotiation logic can be cleaned up a lot, It could handle fallback through all the methods, instead of needing awkward special cases for FAST. Allowing handlers to hear the opening stanza means, I am pretty sure, all of SASL2 can become an event-driven plugin, and maybe all of SASL1.
Things that are bad:
invalidate=1option, and it's actually just fully impossible to log out (without digging around in the web debugger anyway)