Limited Users Receive External Messages

[andydvsn]

I've been setting up a Snikket instance for family chats, but noticed that "Limited" accounts can receive messages from external XMPP accounts just fine. Using a test account on xmpp.social the messages come through to the Snikket client with OMEMO encryption and are displayed, including images, followed by a message "Error: Communication with xmpp.social is not available". I have not tested voice or video chats.

Any attempt to add the external account to the "Limited" account's contact list fails with no error and the prompt "Contact added you to their contact list. Add to contacts?" remains on the screen. Any attempt to reply fails as shown in the image below, tapping the info symbol returns "There is no trusted device to send message to".

Given that limited accounts are supposed to be restricted to on-server communications, this is all a bit concerning. Could it please be investigated? Something that may be affecting this could be that I am running this server behind a reverse proxy as configured here. I don't know for a fact that this would make any difference, but it's a pecularity of this server I thought should be mentioned.

[andydvsn]

Apologies, I'm an idiot and have just finished reading the User roles documentation page where it clearly states:

Caveats

The current support for limited users has some known issues. It is designed to prevent casual misuse of the server, but it is not intended to be a foolproof security measure. For example, limited users are still able to receive messages and contact requests from other servers, even though they cannot send them to other servers. It is expected that we will restrict incoming traffic for limited users in a future release, after further testing.

I don't know where this is on the priority list right now, but I'd personally like this to receive some attention as I'm far more concerned about incoming rather than outgoing messages for limited accounts.

[mwild1]

I'm planning to tackle this in the next release, and have already made a start (internally transitioning the blocking mechanism to mod_firewall). However that work is incomplete.

As a side note, I'm not sure what your use case for limited accounts is exactly, but I use limited accounts for my children. As their addresses are not discoverable, there is basically no chance of receiving incoming traffic to those addresses from other servers - someone would have to first guess that the account(s) exist, and then correctly guess the address. Of course, it's not impossible if you have a common name, someone determines that you run Snikket and they want to attempt (one-way) contact. It's just extremely unlikely, which is why this hasn't been super top priority.

[andydvsn]

Thanks, @mwild1! In fact the use case is identical, except with the accounts being on a domain which is a contraction of our surname the addresses in our case are eminently guessable. :)

I may reconsider having child accounts on the "main" server and set up something more obscure for the same purpose, at least until blocking is more robust. Great to know it's still on the table for the future though. 👍