Stream Feature: Implement Roster 'set' request to add item #16

New issue

Open

opened 2024-11-25 19:14:16 +00:00 by Ivan-lis · 0 comments

Ivan-lis commented

2024-11-25 19:14:16 +00:00

Member

Stream and Stanza overview: https://xmpp.org/rfcs/rfc6120.html#streams

Presence examples: https://xmpp.org/rfcs/rfc6121.html#presence

Roster add: https://xmpp.org/rfcs/rfc6121.html#roster-add

A "roster set" is a client's request for the server to modify (i.e., create, update, or delete) a roster item; syntactically it is an IQ stanza of type "set" sent from client to server and containing a element qualified by the 'jabber:iq:roster' namespace.

The following rules apply to roster sets:

The element MUST contain one and only one element.
The server MUST ignore any value of the 'subscription' attribute other than "remove" (see Section 2.1.2.5).

Security Warning: Traditionally, the IQ stanza of the roster set included no 'to' address, with the result that all roster sets were sent from an authenticated resource (full JID) of the account whose roster was being updated. Furthermore, RFC 3921 required a server to perform special-case checking of roster sets to ignore the 'to' address; however, this specification has removed that special-casing, which means that a roster set might include a 'to' address other than that of the sender. Therefore, the entity that processes a roster set MUST verify that the sender of the roster set is authorized to update the roster, and if not return a error.

C: <iq from='juliet@example.com/balcony'
       id='rs1'
       type='set'>
    <query xmlns='jabber:iq:roster'>
      <item jid='nurse@example.com'/>
    </query>
  </iq>

Stream and Stanza overview: https://xmpp.org/rfcs/rfc6120.html#streams Presence examples: https://xmpp.org/rfcs/rfc6121.html#presence Roster add: https://xmpp.org/rfcs/rfc6121.html#roster-add A "roster set" is a client's request for the server to modify (i.e., create, update, or delete) a roster item; syntactically it is an IQ stanza of type "set" sent from client to server and containing a <query/> element qualified by the 'jabber:iq:roster' namespace. The following rules apply to roster sets: The <query/> element MUST contain one and only one <item/> element. The server MUST ignore any value of the 'subscription' attribute other than "remove" (see Section 2.1.2.5). Security Warning: Traditionally, the IQ stanza of the roster set included no 'to' address, with the result that all roster sets were sent from an authenticated resource (full JID) of the account whose roster was being updated. Furthermore, RFC 3921 required a server to perform special-case checking of roster sets to ignore the 'to' address; however, this specification has removed that special-casing, which means that a roster set might include a 'to' address other than that of the sender. Therefore, the entity that processes a roster set MUST verify that the sender of the roster set is authorized to update the roster, and if not return a <forbidden/> error. ```xml C: <iq from='juliet@example.com/balcony' id='rs1' type='set'> <query xmlns='jabber:iq:roster'> <item jid='nurse@example.com'/> </query> </iq> ```