Wired News

Kindle Freebies

Planet Jabber

ProcessOne: ejabberd 19.09.1

6 hours 51 minutes ago

We are announcing a supplemental bugfix release of ejabberd version 19.09.1. The main focus has been to fix the issue with webadmin returning 404 Not Found when Host header doesn’t match anything in configured hosts.

Bugfixes

Some people have reported still having issues when connecting to the web administration console. We solved that hopefully once and for all.

Technical changes

There is no change to perform on the database to move from ejabberd 19.09 to ejabberd 19.09.1. Still, as usual, please, make a backup before upgrading.

Download and install ejabberd 19.09.1

The source package and binary installers are available at ProcessOne. If you installed a previous version, there are no additional upgrade steps, but as a good practice, plase backup your data.

As usual, the release is tagged in the Git source code repository on Github. If you suspect that you’ve found a bug, please search or fill a bug report in Issues.

Full changelog
===========

* Bugfixes
– Fix issue with webadmin returning 404 when ‘Host’ header doesn’t match anything in configured hosts
– Change url to guide in webadmin to working one

Marek Foss

Isode: Isode at TechNet Europe

8 hours 3 minutes ago

In a weeks time, TechNet Europe kicks off. This is AFCEA Europe’s second largest annual event, and we will be there.

We will be demonstrating our Military Messaging system, and showing off the capabilities that make it ideal for deployments requiring high levels of security, such as:

  • Conversion/equivalencies between label formats, using a Security Policy (SPIF) based approach to map between the various supported label formats on Email. This will be demonstrated using our web-based email client, Harrier.
  • XEP-0258 (Security Labels in XMPP) support as well as conversion/equivalencies between label formats in XMPP. Our Swift XMPP client will be used to to demonstrate 1-2-1 and MUC room chats using security labels.

We will also be demonstrating our IRC Gateway product, the M-Link IRC -Gateway enables connections between IRC and XMPP servers.

If you’re attending TechNet Europe, pop along to the Isode stand for a demonstration of our software and to say hi to Jeff Tillotson (our Defence business development manager) and Jon Purvis (one of our pre-sales engineers).

Hannah George

ProcessOne: Understanding ejabberd OAuth Support & Roadmap

1 day 12 hours ago

Login and password authentication is still the most commonly used auth mechanism on XMPP services. However, it is causing security concerns because it requires to store the credentials on the client app in order to login again without asking for the password.

Mobile APIs on iOS and Android can let you encrypt the data at REST, but still, it is best not to rely on storing any password at all.

Fortunately, several solutions exist – all supported by ejabberd. You can either use OAuth or Certificate-based authentication. Client certificate management being still quite a tricky issue, I will focus in this post on explaining how to set up and use ejabberd OAuth support.

Understanding ejabberd OAuth Support

The principle of OAuth is simple: OAuth offers a mechanism to let your users generate a token to connect to your service. The client can just keep that token to authenticate and is not required to store the password for subsequent authentications.

Implicit grant

As of ejabberd 19.09, ejabberd supports only the OAuth implicit grant. Implicit grant is often used to let third-party clients — clients you do not control — connect to your server.

The implicit grant requires redirecting the client to a web page, so the client does not even see the login and password of the user. Indeed, as you cannot trust third-party clients, this is the sane thing to do to keep your users’ passwords for being typed directly in any third-party client. You can never be sure that the client will not store it (locally, or worse, in the cloud).

With the implicit grant, the client app directs the user to the sign-in page on your server to authenticate and get the token, often with login and password (but the mechanism can be different and could involve 2FA, for example). Your website then uses a redirect URL that will be passed back to the client, containing the token to use for logging in. The redirect happens usually using client-registered domain or custom URL scheme.

… and password grant

The implicit grant workflow is not ideal if your ejabberd service is only useable with your own client. Using web view redirects can feel cumbersome in your onboarding workflow. As you trust the client, you probably would like to be able to directly call an API with the login and password, get the OAuth token back, and forget about the password. The user experience will be more pleasant and feel more native.

This flow is known in OAuth as the OAuth password grant.

In the upcoming ejabberd version, you will be able to use OAuth password grant as an addition to the implicit grant. The beta feature is already in ejabberd master branch, so you have a good opportunity to try it and share your feedback.

Let’s use ejabberd OAuth Password grant in practice Step 1: ejabberd configuration

To support OAuth2 in ejabberd, you can add the following directives in ejabberd config file:

# Default duration for generated tokens (in seconds) # Here the default value is 30 days oauth_expire: 2592000 # OAuth token generation is enabled for all server users oauth_access: all # Check that the client ID is registered oauth_client_id_check: db

In your web HTTPS ejabberd handler, you also need to add the oauth request handler:

listen: # ... - port: 5443 ip: "::" module: ejabberd_http tls: true request_handlers: # ... "/oauth": ejabberd_oauth

Note: I am using HTTPS, even for a demo, as it is mandatory to work on iOS. During the development phase, you should create your own CA to add a trusted development certificate to ejabberd. Read the following blog post if you need guidance on how to do that: Using a local development trusted CA on MacOS

You can download my full test config file here: ejabberd.yml

Step 2: Registering an OAuth client

If you produce a first party client, you can bypass the need for OAuth to redirect to your browser to get the token.

As you trust the application you are developing, you can let the user of your app directly enter the login and password inside your client. However, you should never store the password directly, only the OAuth tokens.

In ejabberd, I recommend you first configure an OAuth client, so that it can check that the client id is registered.

You can use the ejabberdctl command oauth_add_client_password, or use the Erlang command line.

Here is how to use ejabberdctl to register a first-party client:

ejabberdctl oauth_add_client_password <client_id> <client_name> <secret>

As the feature is still in development, you may find it easier to register your client directly using Erlang command-line. Parameters are client_id, client_name and a secret:

1> ejabberd_oauth:oauth_add_client_password(<<"client-id-Iegh7ooK">>, <<"Demo client">>, <<"3dc8b0885b3043c0e38aa2e1dc64">>). {ok,[]}

Once you have registered a client, you can start generating OAuth tokens for your users from your client, using an HTTPS API.

Step 3: Generation a password grant token

You can use the standard OAuth2 password grant query to get a bearer token for a given user. You will need to pass the user JID and the password. You need to require the OAuth scope sasl_auth so that the token can be used to authentication directly in the XMPP flow.

Note: As you are passing the client secret as a parameter, you must use HTTPS in production for those queries.

Here is an example query to get a token using the password grant flow:

curl -i -POST 'https://localhost:5443/oauth/token' -d grant_type=password -d username=test@localhost -d password=test -d client_id=client-id-Iegh7ooK -d client_secret=3dc8b0885b3043c0e38aa2e1dc64 -d scope=sasl_auth HTTP/1.1 200 OK Content-Length: 114 Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache {"access_token":"DGV4JFzW15iZFmsnvzT7IymupTAYvo6U","token_type":"bearer","scope":"sasl_auth","expires_in":2592000}

As you can see, the token is a JSON string. You can easily extract the access_token from it. That’s the part you will use to authenticate on XMPP.

Step 4: Connecting on XMPP using an OAuth token

To authenticate over XMPP, you need to use the X-OAUTH2 mechanism. X-OAUTH2 was defined by Google for Google Talk and reused later by Facebook chat. You can find Google description here: XMPP OAuth 2.0 Authorization.

Basically, it encodes the JID and token as in the SASL PLAIN authorisation, but instead of passing the PLAIN keyword as mechanism, it uses X-OAUTH2. ejabberd will thus know that it has to check the secret against the token table in the database, instead of checking the credentials against the password table.

Quick demo

Next, let’s demonstrate the connection using Fluux Go XMPP library, which is the only library I know that supports OAuth tokens today.

Here is an example client login on XMPP with an OAuth2 token:

package main import ( "fmt" "log" "os" "gosrc.io/xmpp" "gosrc.io/xmpp/stanza" ) func main() { config := xmpp.Config{ Address: "localhost:5222", Jid: "test@localhost", Credential: xmpp.OAuthToken("DGV4JFzW15iZFmsnvzT7IymupTAYvo6U"), StreamLogger: os.Stdout, } router := xmpp.NewRouter() router.HandleFunc("message", handleMessage) client, err := xmpp.NewClient(config, router) if err != nil { log.Fatalf("%+v", err) } // If you pass the client to a connection manager, it will handle the reconnect policy // for you automatically. cm := xmpp.NewStreamManager(client, nil) log.Fatal(cm.Run()) } func handleMessage(s xmpp.Sender, p stanza.Packet) { msg, ok := p.(stanza.Message) if !ok { _, _ = fmt.Fprintf(os.Stdout, "Ignoring packet: %T\n", p) return } _, _ = fmt.Fprintf(os.Stdout, "Body = %s - from = %s\n", msg.Body, msg.From) }

The important part for OAuth is that you are telling the library to use an OAuth2 token with the following value in the xmpp.Config struct:

xmpp.Config{ // ... Credential: xmpp.OAuthToken("DGV4JFzW15iZFmsnvzT7IymupTAYvo6U"), }

You can check the example in Fluux XMPP example directory: xmpp_oauth2.go

There is more

As I said, ejabberd OAuth support is not limited to generating password grant. Since ejabberd 15.09, we support implicit grant generation and it is still available. You can find more information in ejabberd documentation: OAuth

Moreover, there is more than XMPP authentication with OAuth 2. In the current development version, you can authenticate your devices on ejabberd MQTT service using MQTT 5.0 Enhanced Authentication. The authentication method to use is the same as for XMPP: We reuse the X-OAUTH2 method name. When trying to use this method, the server will confirm you are allowed to use that method and you can pass your token in return.

Please, note that you will need to use an MQTT 5.0 client library to use OAuth2 authentication with MQTT.

Conclusion

ejabberd OAuth XMPP and MQTT authentication is using the informal auth mechanism that was introduced by Google Talk and reused by Facebook. It does the job and fills an important security need.

That said, I would love to see more standard support from the XMPP Standard Foundation regarding OAuth authentication. For example, getting a specification translating OAuth authentication to XMPP flow would be of great help.

Still, in the meantime, I hope more libraries support that informal OAuth specification, so that client developers have good alternative to local password storage for subsequent authentications.

Please, give it a try from master and send us feedback if you want to help us shape the evolution of OAuth support in ejabberd.

… And let’s end password-oriented client authentication :)

Mickaël Rémond

Debian XMPP Team: New Dino in Debian

3 days 3 hours ago

Dino (dino-im in Debian), the modern and beautiful chat client for the desktop, has some nice, new features. Users of Debian testing (bullseye) might like to try them:

  • XEP-0391: Jingle Encrypted Transports (explained here)
  • XEP-0402: Bookmarks 2 (explained here)

Note, that users of Dino on Debian 10 (buster) should upgrade to version 0.0.git20181129-1+deb10u1, because of a number of security issues, that have been found (CVE-2019-16235, CVE-2019-16236, CVE-2019-16237).

There have been other XMPP related updates in Debian since release of buster, among them:

You might be interested in the Octobers XMPP newsletter, also available in German.

Martin

ProcessOne: FrenchKit Conference: Day 2 Highlights

5 days 14 hours ago

Yesterday, I shared my highlights on FrenchKit Conference 2019, Day 1. Today, I will talk about FrenchKit Day 2.

Swift Superpowers

Swift Superpowers were three lightning talks presented by David Bonnet, mostly focused on server-side Swift, and spread out during the day. He covered the following topics:

  • Vapor 3 code examples
  • Networking example with SwiftNIO and the new cross-platform URLSession client (you need to import FoundationNetworking on Linux)
  • Debug of Vapor apps in Xcode and cross-platform testing using XCTest and Docker

Like the day before, those lightning talks were great and refreshing.

Swift Generics: It isn’t supposed to hurt

Rob Napier explained how to incrementally refactor your code using generics to make it more flexible and avoid repeating the same patterns.

The talk was interesting and condensed, and was followed by an even more content-packed masterclass at the end of the day. The topic is fascinating, but the masterclass format does not do it justice. It is very hard to keep your focus for 90 minutes on hardcore generics code refactors.

The takeaway, as always, is to start with concrete code first and then work out the generics.

Note encryption: 10 lines for encryption, 1500 lines for key management

Next was a mind-blowing talk on cryptography by Anastasiia Voitova. She knows here topic and the story of how her company Cossack Labs helped implement end-to-end encryption in the Bear note taking app was very enlightening.

SwiftPM’s New Resolver: Can it Resolve the Conflicts in my Relationship?

I quite like Mert Buran talk. He managed to make a dry topic, Swift Package topic resolution, interesting.

And Mert talk was the most funny of the conference, with example of conflict resolution in his rock band.

Finally, my takeaway is that Swift Package Manager is a nice piece of Open Source code that you can read and learn from.

This is not rocket (data) science

It was another great talk. Hervé Beranger covered all the concrete use cases of AI that you can add today in your iOS applications:

  • Voice Interfaces
  • Translations
  • Semantic search
  • Sentiment analysis
  • Suggested related searches
  • Smart replies
  • Home-made text classifiers

He gave a lot of examples, with the Apple API you can use to implement them.

An introduction to property-based testing

I was happy to see a talk on property-based testing. At ProcessOne, we have worked with Quviq to use Erlang Quickcheck on our code base. I have been passionate about Property based testing.

Vincent Pradeilles did a good job presenting Property-based testing and explaining how you can use it as an addition to more traditional testing methods.

Swift has quite a nice implementation of Quickcheck, called SwiftCheck. You should give it a try.

Vincent also mentioned lightweight alternative to help testing with random data, such as using faker library to generate random data, using a fuzzy testing approach.

Shipping a Catalyst app: The Good, the Bad and the Ugly

This was a nice talk by Peter Steinberger sharing his feedback on Catalyst. Catalyst is a framework to port UIKit based iPadOS based apps to macOS. He shared the trick they had to use to make their PDFViewer app feel more native on macOS using Catalyst.

For example, Peter was forced to bridge to AppKit for some features like:

  • Toolbar with toolbar editor
  • NSSearch
  • NSCursor changes (MacSupport bundle)
  • Open Recent menu support (particularly painful to implement as Catalyst Apps are sandboxed, like all Mac AppStore apps)

And that’s a wrap

The final talk was from Olivier Halligon and was one of my favorite. He managed to explain why and how to use property wrappers in Swift. Property wrappers were added in Swift 5.1 and it is my favorite new feature. If you use it with a clear purpose, it can really help improve your code.

You can check his slides: And that’s a Wrap!

Make sure to check the last tip on how to use property wrappers to avoid implement JSON Codable manually for your struct just to handle properly the date format. This is a tip I expect to reuse often.

Conclusion

Overall, the FrenchKit Conference was really great. It was a well organised event packed with great talks.

If you could not attend, you can always catch up with the talks on video when they get released.

Mickaël Rémond

ProcessOne: FrenchKit Conference: Day 1 Highlights

5 days 14 hours ago

FrenchKit is an iOS and macOS developer conference held in Paris. The fourth edition took place on October 7-8, 2019. I was attending this conference for the first time and really enjoyed the gathering. The conference is well organised, with a lot of excellent speakers. There is a true good vibe coming from the FrenchKit community, at least from a French perspective, but I feel this impression was shared by international visitors I spoke with.

Here are my highlights for the first day.

Swift Pills

Swift Pills were three small lightning talks presented at various time during the first day by Vincent Pradeilles.

The talks were nice, sharing small 5-minutes tips on various topics:
Encapsulating [weak self]
Let’s talk about @autoclosure
Optionals

I liked the talks, but more than that, I feel that spreading some lightning talks throughout the day is a very nice idea. It breaks the rhythm of long talks sequence and feels like a refreshing break. It felt better than to gather all lightning talks at once. I think other conferences should also adopt that idea.

Animations with SwiftUI

Chris Eidhof is famous for his live coding video tutorials on Objc.io. He demoed how to build a custom shake animation with SwiftUI, using a GeometryEffect view modifier. You can read more about the topic he presented on his blog: SwiftUI: Shake Animation

Understanding Combine

The second talk was presented by Daniel Steinberg, another prominent speaker in the Swift development community. He demonstrated how the reactive pattern differs from the delegation pattern, and did a great job explaining the use of Combine with UIKit (Yes, you can use @Published on UIKit View Controllers).

SwiftUI with Redux

Thomas Ricouard managed to pack a nice Redux introduction in a short time, with examples coming from its app MovieSwiftUI. You can check his Open Source app on GitHub: MovieSwiftUI.

As he says, Apple hinted at unidirectional data flow (a-la Redux) at WWDC, but did not precisely described how to leverage it. Thomas talks helped to fill the gap.

Showcase driven development

This talk by Jérôme Alves introduced the approach used at Heetch to help shorten each development iteration. The principle is simple: If you want to avoid large pull requests with complex merges, you need to focus on short-lived development branches changing only a few things. You thus split big features into sub-features and even split them by layers (model, view, etc) to have smaller branches to merge.

However, how do you demonstrate work-in-progress? The solution presented by Jérôme is to introduce a menu in the Debug build of their application dedicated to demonstrating your unfinished work. The showcase menu in the test app offers a showcase browser that can be used to show prototype views, workflows, animations, etc. It helps discussing the next steps and requirements with management, marketing or customers.

Finally, even if Jérôme recommends to roll your own code to set up that feature, Heetch released ShowcaseKit to give you an idea of what they did and how they are using the showcase approach.

Slide to unlock: Building Custom UI with UIKit and CoreAnimation

I also enjoyed this talk from Joel Kin. His talk is about showing that if you master the various layers of Apple UI frameworks (from UIKit to Core Animation), it often make more sense to develop a custom component based on Apple standard tooling than to introduce and adapt a dependency from GitHub.

He does a great job showing how he built a custom slide-to-unlock component, using less lines of code than in alternative open source components.

The example is quite convincing, starting from a UISlider and ending up with a great looking “slide-to-unlock” components, complete with even the shimmer effect.

You can checkout the code on GitHub: SlideToUnlock

Workshops!

To end the day, you had a choice of seven possible workshops. I attended “Exploring Combine”, hosted by Florent Pillet and Antoine Van Der Lee.

While I had already explored many concepts, it was a nice introduction to Apple Reactive programming framework.

The workshop is a nice way to meet people and share ideas through peer programming to solve the proposed exercices.

Conclusion for Day 1

Day 1 at FrenchKit was a blast. The day was packed with great talks. The atmosphere was very friendly and the venue was great.

Stay tuned for my highlights of Day 2!

Mickaël Rémond

Meme: viral internet stuff