Add support for XMPP

[piti-diablotin]

Hi,

I was thinking, would it be convenient to add an XMPP gateway ? I'm ok to work on this if there is a need.
It would be an alternative to telegram/sms, can be totaly free if the admin has a hosted xmpp server (ejabberd/prosody/openfire)
The only question to @ChristophWurst is what XMPP library I should use. I'm afraid of conflicts like the last time with OVH 🤣

Cheers

[ChristophWurst]

My concern with this is that it's not as trivial to send an XMPP message as it is to send a text message via a REST gateway. Do you have experience with working with XMPP?

[piti-diablotin]

Well that's the purpose of using an xmpp library.
Either the connection is made with direct REST xml API or using the HTTP bosch alternative, the libray manage (or should)
Using a library simplify the use with just

connect
authenticate
send message
disconnect

It is as simple as this. I wrote a small bot once but it was in python with python-xmpp
How I see image things:
Create a bot login on the xmpp server which can send message to everyone.
Configure NC_TOTP with

• JID
• gateway:port (optional)

Each user would need to enter its own JID in the TOTP settings (new category)
Test the connection as for the others.
Send TOTP via XMPP

[ChristophWurst]

Feel free to experiment with this. I have my doubts about this claimed simplicity. We have to be careful with what to put into the user settings. They are quite specific to messaging gateways.

[dora71]

Any news about that? Would like to see it in Nextcloud. I can also test.
I think lots of others would also like it. There has already been an issue about that some time ago.
See #96

[dora71]

I think there can be (at least for prosody xmpp server) a relatively simple solution, if mod_rest is enabled. See: https://modules.prosody.im/mod_rest
With this, it should be quite similar to the bot-approach of Telegram.
It seems there is also a mod_res available for ejabberd, as mentioned here: https://docs.ejabberd.im/developer/ejabberd-api/
Hope this is worth a try. Would really appreciate it as an alternative to the "big players".

For prosody, I can give you a working example:
Admin will have to provide:

• xmpp-server address (example.com)
• username and password of sender ([email protected], password)

User will have to provide:

• JabberID of recipient (like: [email protected])

That's it ... a resulting curl call should be like this (with above example)
curl -u sender:password -H 'Content-Type: text/plain' --data-binary '2FA-Code' https://example.com/rest/message/chat/[email protected]

@ChristophWurst: Would that be a simplier approach to integrate xmpp as a 2FA provider?

[poVoq]

There is a XEP for that: https://xmpp.org/extensions/xep-0070.html

A nice example implementation would be here: https://gitlab.com/jnanar/HTTPAuthentificationOverXMPP

[piti-diablotin]

Sorry I did not work on that because I though my situation was not appropriate: my xmpp account and NC account use the same backend,therefore if one gets my username+password for NC, access the TOTP option, then it can also log in to my xmpp access and I think this is not secure although it would be convenient.

[dora71]

@piti-diablotin Think big! You could add a xmpp user account espacially for sending you your second factor and you can also change the receipient if you consider this more secure.
I am still interested in adding xmpp to the possibilities. I also would contribute code, but I am a programming newbie (in concern of knowledge, I am into it for quite a while now).
@ChristophWurst Is there a documentation for developers of this plugin, 'cause right now, I am not sure what is a good point to start with and what files I have to take in account.

[ChristophWurst]

@ChristophWurst Is there a documentation for developers of this plugin, 'cause right now, I am not sure what is a good point to start with and what files I have to take in account.

No but you can look at the closed PRs and see the other implementations as reference.

[dora71]

@ChristophWurst Is there a documentation for developers of this plugin, 'cause right now, I am not sure what is a good point to start with and what files I have to take in account.

No but you can look at the closed PRs and see the other implementations as reference.

OK, that is what I did right now. Also took the Telegram part as orientation. I successfully implemented the admin section (occ configuration). I also can successfully test the xmpp gateway via occ twofactorauth:gateway:test

But where do I find the code to edit the user settings part? (where user has to enter the receiving JID, or for Telegram, the chat number)? Until now, the XMPP Gateway shows up in Security settings, but the rest is missing (as I can't find it). Any hints welcome.

[Neustradamus]

It will be nice to have...

[dora71]

It will be nice to have...

@Neustradamus as you can see above, my pull request has been merged so there is support for XMPP right now.
Only thing you need is a XMPP server which has some kind of HTTP API (tested with prosody that has either mod_rest or mod_post_msg enabled), but that is only needed for the XMPP Account which sends the 2FA. Reception works on every XMPP server.
What is still missing that you can use any XMPP Server you like for sending the 2FA. Therefore, there must be an implementation of an xmpp library somehow.
Feel free to study the fork at: https://github.com/dora71/twofactor_gateway