Skip to content

Support SASL2 FAST authentication#840

Open
kousu wants to merge 4 commits into
strophe:masterfrom
kousu:sasl2_fast_2
Open

Support SASL2 FAST authentication#840
kousu wants to merge 4 commits into
strophe:masterfrom
kousu:sasl2_fast_2

Conversation

@kousu

@kousu kousu commented Jun 9, 2025
edited
Loading

Copy link
Copy Markdown

FAST is a cookie-style authentication method that lets clients store and auth with an unguesseable token. It enables clients to forget the user's full password, which is especially important for web-based clients, that are prone to data leaks. Leaked tokens can be invalidated.

This my second attempt, and supersedes #839 .

Intended to fix conversejs/converse.js#3144

Some aside changes I needed for this:

  • I let handlers listen to the opening stanza
  • Set 'from' on the opening tag. (ref: https://github.com/xmppjs/xmpp.js/pull/1006/files#r1893267922)
  • Create a type of handler that can search nested data. This made setting up listeners a lot more convenient.
  • During connection, replace has_features with the direct XML stream:features more direct and defensive.
  • Moved Status.AUTHENTICATING before FAST/SASL

Testing

On a prosody server, set these modules_enabled:

	-- SASL2/FAST
		"sasl2";
		"sasl2_bind2";
		"sasl2_sm";
		"sasl2_fast";
		"client_management";

Make or pick a test account on your server to test with.

Then run the client with:

git clone -b sasl2_fast_2 git@github.com:kousu/strophejs
git clone -b sasl2_fast_2 git@github.com:kousu/converse.js
cd converse.js

Edit converse.js/dev.html to change the prefilled username to match your server (or just be ready to type it in)

npm ci
npm run serve & npm run watch & xdg-open https://localhost:8080/dev.html

TODO:

  • Test under both websocket and BOSH
  • Invalidate token on logout
    • In the corresponding Converse.js branch, actually forget the token on logout
  • Under my over eager autoformatter
  • support the other HT- methods from the spec
  • Disentangle the circular dependency between index.js loading sasl2.js/sasl2_fast.js but them needing to talk to Strophe
  • Check and provide proper copyright notice for the snippet I took from xmpp.js

Potential follow ups:

  • rewrite the SASL code into an event-based src/sasl.js to make it look like src/sasl2.js

  • allow fallback from SASL2 to SASL and between SASL methods

    (currently assumes only ONE login method will be tried per connect(), which could block login if one is failing)

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support XEP-0484: Fast Authentication Streamlining Tokens

2 participants

@kousu @jcbrand