Following last month's 0.30 Encke important upgrade here is the first bug-fix release!

What's new?

Animated pictures support in the image proxy

Movim is proxying all the pictures to recompress and cache them along the way (the cache needs to be configured in your web server, see the dedicated documentation for that).

For animated GIFs, it used to only take the first frame and compress it in WebP, like for all the other pictures. Now Movim tries to turn it into an animated WebP!

The Picture Proxy was also refactored to handle some cases with some buggy picture URLs.

New Avatar and Banner Configuration Panel

The avatar and banner configuration panel was redesigned to give you a nice overview of your final profile page.

XEP-0392: Consistent Color Generation support! 🎨

The internal color palette handling was refactored and slightly adjusted to integrate better with the Accent Color feature introduced in 0.30. A few new colors were added along the way.

Movim is now implementing XEP-0392: Consistent Color Generation. This means that the same user or content will have the same colors on all your different XMPP clients. ✨

Slight adjustment of the ChatroomPings service

Movim is implementing XEP-0410: MUC Self-Ping (Schrödinger's Chat) to ensure that you are still connected to your chatrooms even if there is no activity in them. The ping-pong system was a bit too sensitive and could declare a disconnection in some cases; the timeout was adjusted to prevent most of those unfortunate disconnections from happening.

Dropping MySQL support

Movim had "MySQL" and PostgreSQL support for a while already. The original MySQL database was forked as MariaDB and both started to evolve very differently the past few years. MariaDB finally became the "default" database in most of the Linux distributions.

The two databases were always considered as "flavors" until now, but only MariaDB was extensively tested with PostgreSQL during development.

It seems that the now MySQL DB is not compatible with Movim anymore and will require very specific support to fix all the migrations and some queries that are not working anymore on it.

It was therefore decided to only keep the PostgreSQL and MariaDB support, PostgreSQL still being the (strongly) recommended one.

What's next?

Going back to the multi-participant calls project, lots of exciting things to do! Stay tuned. ☺️

That's all folks!

#movim #release #xmpp #features #database #colors #mysql

New year, new #release ! This time with plenty of new exciting features, let's have a look at them. 😊

Stories

The past few years several chat platforms tried to blur the line between their chat and social features.

Stories are a very nice way to share content with your contacts and allow them to react easily by chat.

Movim 0.29 is the first XMPP client that implements Stories. A specific XMPP extension, XEP-0501: Pubsub Stories, was created to standardize and allow perfect compatibility with other clients on the network. XMPP is once more showing its capability to be a perfect protocol to build this kind of feature and deploy it easily across a large network of compatible clients.

While writing this article some other XMPP clients are already planning to implement the feature.

You'll be able to create a new Story by taking a picture directly with your camera or select one from your gallery, edit it, add a small text and publish it to your contacts. Your story will then be available for 24 hours, and your contacts will be able to comment on it by sending you a chat message.

In the upcoming versions more features will be progressively added to complete those ones. If you are looking for a feature in particular feel free to drop a comment or a message in the support room. 😌

Briefs

This version is also introducing Briefs, a simpler way to publish content on your profile or in your Communities.

Until now you were invited to write posts having a title and a content. Briefs allows you to directly publish a short text to your contacts like on Mastodon, Twitter or Bluesky. If you feel the need to express yourself in a more "bloggy" way you can always switch back to the complete experience.

Some refactoring was done in the database and user interface to better integrate Briefs in the feeds.

But also...

An important refactoring was done regarding how the internal dates and times were handled. Now each connected user is sending its own timezone on login and all the times are generated dynamically using those timezones; this solves some weird calculated hours during the switch between daylight saving times.

Lots of fixes were done in how the chat discussions are handled and cached. This is fixing a few erratic behaviors in how chat discussions were ordered and their related notifications displayed.

And as always some database, user interface and JavaScript fixes.

Some news from the Movim Live project

The Phase 2 of the Movim Live project is finally getting in shape. Movim is now able to start and join a multiparticipant call and get their cameras and microphones. This required some important refactorings in how the calls and media streams were handled internaly, you can follow the dedicated branch there Pull Request: Multiparty Jingle.

This second important phase should be finished in a few months and a dedicated version (maybe a 0.30 ?) will be published then.

In the meantime lets enjoy all the new exciting features.

Happy New Year to all the #Movim and #XMPP users 🎉

That's all folks!

#stories #briefs #story #brief

tldr; On the night between the 2nd and 3th of October 2024 a corruption of the mov.im instance HTTP cache allowed several users to be connected as another person. Only one account was affected.

This issue only affected the mov.im instance and doesn't apply to the Movim project itself.

The nxing location issue

On the 2nd of October evening a new #nginx #configuration was pushed on the mov.im virtualhost. This configuration is using fastcgi_cache to #cache some URLs and lighten up the load put on the PHP side and therefore Movim.

The existing configuration looked like this:

server {
    server_name mov.im;

    location /picture {
        set $no_cache 0;
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location / {
        set $no_cache 1;
        if (!-e $request_filename) {
            rewrite ^/(.*) /index.php?query=$1 last;
        }
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;

        add_header X-Cache $upstream_cache_status;
        fastcgi_cache nginx_cache;
        fastcgi_cache_valid 200 301 302 1h;
        fastcgi_cache_bypass $no_cache;
        fastcgi_no_cache $no_cache;
    }
}

The fastcgi_cache module is by default enabled for all the .php files called, is disabled for all the URLs except for the /picture ones. The reverse logic is what made things a bit confusing there.

The configuration change added a new section:

    location = / {
        # Introduced configuration
    }

This new section was applied only to the root https://mov.im/ requests but didn't contained the $no_cache parameter line.

The second confusion came with how nginx is handling their locations blocks. The DigitalOcean - nginx location directive examples explains it quite clearly.

Some locations blocks definitions are used or passed to the next matching one:

3. NGINX location block for a directory The following location block will match any request starting with /images/ but continue with searching for more specific block for the requested URI. Therefore the location block will be selected if NGINX does not find any more specific match.

And some others don't:

2. NGINX location matching exact URL NGINX always tries to match most specific prefix location at first. Therefore, the equal sign in the following location block forces an exact match with the path requested and then stops searching for any more matches.

The new introduced block (location = /) behave like the second definition. nginx basically used it and stopped there, applying cache to it without jumping to the "default" one location /.

The consequences

One of the mov.im users, lets call it Matt (name was changed) had a quite intensive activity on the instance, he basically created a little script to login and logout each 2-3 minutes to check a few parameters. This was not the cause of the issue but this activity raised the chances that he was the first one to hit the / URL when reconnecting.

The PHP script processed the XMPP authentication successfully and set à cookie to Matt to let him enjoy Movim.

The new nginx faulty configuration cached this call.

The following hours many new users that tried to authenticate reached this URL and nginx directly returned the cached version... containing the cookie created especially for Matt.

And then suddenly lots of persons were Matt.

Fixing the issue

Early in the morning, waking up, I was notified personally and on the support chatroom that some users were connected as other users.

The mov.im instance was disconnected as well as the nginx configuration.

I contacted Matt personally explaining the issue and asking him to change his password and started an investigation. A few small but not directly related issues and improvement concerning the session management were fixed.

The actual one was found by searching the nginx cache for cookie content and I quickly figured out that the new nginx configuration was the cause of that.

Aftermatt/aftermath

The configuration is for now reversed to the old one and the nginx cache is disabled, I'll try to find a cleaner way to re-enable it to prevent such issue to pop again in the future.

Only Matt (the first one to hit the cache) was affected by this issue so normally no other account were affected by the issue. If you logged during that night on mov.im I'd still recommend to change your password just in case.

That's all folks, and sorry for the mess.

edhelas

#security #issue

We're getting close to one #release per month! Indeed, a lot of things are going on in the project at the moment. Let's have a look at all the important new features and fixes before giving some details about the #Movim Live project.

Freshly redesigned Search panel

To bring some coherence and uniformity to the UI the Universal #Search tool has been reorganized and redesigned; it now gives you more interesting results in a more compact way.

Using one keyword you will be able to search into your contacts, communities, article tags as well as recent articles and public contacts. Some optimizations were also made to speed-up the results.

Improved account gateways and administration features

Movim has been handling XMPP gateways for many years already; they allow you to connect and chat with people on many different platforms directly from your main XMPP account. Lots of work and tests were also done to improve those gateways integration, especially with Slidge which has become a reference in the #XMPP ecosystem the past few years.

In the configuration panel you will now be able to easily subscribe, manage and unsubscribe with those gateways thanks to a redesigned and improved Gateways section.

As a Movim administrator the dedicated Admin panel was also redesigned and reorganized to be easier to handle.

Databases fixes

Two important database issues were fixed. One was preventing some migrations to run properly on MySQL (PostgreSQL is still the recommended database for a Movim setup), another one was limiting the length of the URLs that were shared in the messages.

Movim Live, end of Part I

Thanks to a wonderful funding from NLNet a lot of work regarding videoconferencing is on the way in the project.

This release is finally pushing the last pieces of Part I that was focused on refreshing and modernizing the existing stack. In the upcoming week we will start to work on multi-participants calls with the focus to integrate with Dino and bring fully standard and decentralized video-calls on the XMPP network, and across several clients and servers ✨

But first lets have a look at all the cool stuff introduced with this release ☺️

Introducing the new call flow and conference lobby

Until now you were only allowed to configure your microphone and #camera once the call started. This version is introducing a brand new Lobby widget that takes care of preparing all you need to start or reply to a call serenely.

It fully replaces the old Reply and Call Configuration widgets by merging their features into one unique place. A lot of related code was cleaned up, modernized and refactored during the process.

This new panel also prepares the upcoming multi-participants flow allowing you to be fully setup and ready before joining a conference.

Other improvements and fixes

Movim is now able to detect network connection issues and send an end call message to your contact if it cannot recover the call.

The screen sharing and camera switch buttons were also fixed to work properly on all devices, including Android ones.

If you find issues or have nice ideas to improve all those new features do not hesitate to drop a message on our support channel or open a ticket on the bugtracker.

What's next?

Movim Live Part II, multi-participants video-conferencing! Even if a lot is already planned it is a totally new paradigm for Movim, so a lot of explorations, trials and errors will be made. Hopefully all those new exciting features will land in an upcoming release 😌

In the meantime enjoy the 0.28 release, upgrade your server and share the good news! And thanks to all the people in the community for their support, you rock!

That's all folks!

What was planned to be a minor #release after last month one turned out to be a major release regarding the number of changes, new features and fixes that were made in the meantime. Let's have a look!

Edit: a small fix was made just after the release, it is available in a v0.27.1 release.

Important security fix: remote code execution through unsafe unserialize

An important security issue was discovered just before this release, and it was decided to directly fix and release it. We are strongly encouraging you to upgrade your instance to this version.

Context

For more than ten years now Movim has saved its user configuration in a dedicated PubSub node on the user XMPP profile. This allows the user to keep its Movim instances synchronized and get their configuration back if they choose to migrate to a new instance.

Back then, it was decided to simply save the PHP configuration as a serialized string in a PubSub node item.

A malicious person could then inject in its own XMPP profile a malicious serialized string that Movim will try to parse when connecting making Movim vulnerable to a remote code execution attack. This related blog post explains it quite well.

Security fix

The serialize and unserialize related code has been completely replaced and rewritten. Movim is now publishing its configuration as a standard XEP-0004: Data Forms now which is also cleaner and easier to handle.

What's new?

First steps of the Movim Live video-conferencing project

Last month we announced that NLNet was funding a large set of features around video-conferencing in Movim.

This release brings the first important changes live 🎉

Moving the pop-up back to the main tab

When video-conferencing was first added to Movim the platform was not yet a full Progressive Web App and the pages were reloading the Javascript environment completely each time the user clicked on a new link. The video-conferences were then moved to a dedicated pop-up to ensure that the connection was not accidentally reloaded during the call.

A lot of work has been done over the past few releases to keep the Javascript session alive and load the content dynamically when navigating on the platform.

This release not only brings back the video-conference window in the main tab but also integrates it dynamically into the discussions.

Introducing the floating, chat-integrated, and full-screen modes

When making a call you will now be able to switch dynamically between the different modes.

When chatting with the person the video and audio call are integrated directly on top of the discussion. It automatically switches to floating mode on the other pages. Some more work regarding those modes and their integrations will be planned in the future.

It is also possible to quickly switch to full-screen mode anytime if you want to really focus on the call with your friend.

Current call status

With the reintegration of the popup a lot of work was also done in the backend to keep track of all the events of the call. A specific CurrentCall object was created allowing the interface to be aware in real time of the call status.

The chats list and header now display a blinking "In call" status.

Modernization of the XMPP Jingle stack

The related pull request also brings a huge refactoring of the video-conferencing Javascript code and a modernization of the Jingle stack, fixing a few bugs along the way.

This is just the beginning

Those are just the first few steps. In the upcoming months we are planning to integrate multi-participant calls as well as server-side handled video-calls. Stay tuned, the Movim Live project will really bring a lots of awesome surprises!

Database refactorings, cleanups and UI fixes

Movim was storing a few pieces of data as serialized objects in the Cache table, including the status of incoming invitations and notifications, open chats and the last article read. The related caches table was completely removed and the related data is now stored properly in dedicated tables.

Along the way, some broken migrations were also fixed and the related database libraries were updated.

A lot of small UI bugs were also fixed in this version.

What's next?

The Movim Live project will be the main priority in the upcoming months.

We are expecting some surprises and difficulties along the way, so no promise can be made regarding the deadlines and the features to come in the upcoming release.

Don't forget to share this release around and support us if you like what we're doing 😊

That's all folks!

#nlnet #security #videoconference #database

Another month, another release! We are happy to introduce Movim 0.26, codename Borrelly.

What's new?

Custom Emojis (yay 🎉)!

Movim implemented the Stickers feature a while ago already but always lacked the ability for users to send some custom #emojis to their friends.

This is now implemented thanks to the complete integration of the #XMPP extension XEP-0231: Bits of Binary which was already used partially by the Stickers.

The available emojis packs are imported by the administrator using a new console command that is compatible with the Mastodon or Plemora emojis pack

For example you can import the neofox pack by Volpeon using the following command:

web-user$ php daemon.php importEmojisPack https://volpeon.ink/emojis/neofox/manifest.json

You'll need to run this command using your webserver user, the script will take care of downloading the ZIP file, copy the pictures and seed the database to make them available to all the #Movim instance users.

Each user will then be able to pick their favorites in the Configuration panel and insert them while chating.

When adding a new favorite emoji the user will be able to add a custom :trigger-word: to insert the emoji in its message.

This feature is compatible with a few other XMPP clients sur as Pidgin (!) and Cheogram.

Codeblock support in messages

By using the codeblock syntax it is now possible to insert sourcecode extracts in your messages.

Better handling of spam messages

Some users were experiencing unsolicited and #spam messages issues. This new release doesn't send desktop and push notifications if the messages is not from a contact.

The 1-to-1 discussions can also be filtered to only display the ones you had with your contacts.

Updated message moderation and retraction

Movim now supports the latest version of Message Retraction and Message Moderation and therefore better integrate with the newest clients and servers implementations.

... but also some fixes

As always some issues were also fixed in this release.

The internal code was refactored to comply with the PSR-4 PHP standard. This should remove a lot of warnings when installing and upgrading.

Some shared image URLs were not handled properly in the chat and the preview was broken, this was fixed in the ticket #1314. The sharing of URLs and some embedding features were also greatly improved when writing a new article.

What's next?

We are happy to announce that Movim was selected by NLNet to fund a large set of exciting features around video-conferencing on the platform 🥳, including one-to-many audio and video calls. This will be the biggest project done until now and should keep us busy until next year.

Some more specifics and technical blogs posts will be published soon to explain more in details what all those changes will be about and which exciting features you will see in the upcoming releases.

Thanks a lot to them and don't forget to follow us to get all the latest details about this.

That's all folks!

#nlnet #funding #videoconferencing

A few days after Movim 0.25 Nagata here is a small bugfix release.

In this release you'll find a fix that prevented Firefox to Firefox audio-video calls to happen, a fix for a route parsing issue that was preventing articles to be attached properly in a new publication and a related one that was preventing articles to be shared to chat users.

One small improvement, the one-to-one chat list now includes preview of sent and received images and links.

That's all folks!

#movim #xmpp #bugfix #release

Only a few months after #Movim 0.24 here comes Movim 0.25 Nagata!

Let's have a look at all the new features and fixes that you can find in this exciting #release.

What's new?

Message files refactoring

The attached #message files metadata are now moved to the Movim SQL database, this allows way more flexibility to handle then including the upcoming work on the multi-files per message feature.

Along this change comes the support of thumbhash. The general idea is to build a small blurred version of the image that can be transferred and store inside the message metadata and then render it as a placeholder for the image before it gets downloaded.

Internal file upload proxy, bye bye CORS!

When you upload a file on Movim, it is not store in Movim itself but directly on your #XMPP server File Upload Service.

This feature, defined in XEP-0363: HTTP File Upload is pretty useful and widely implemented in the XMPP ecosystem. However XMPP web clients, such as Movim, have to deal with browser related limitations called #CORS (Cross-origin resource sharing) that needs some more configuration on the XMPP servers to allow upload files from domains that are not the same as the XMPP file #upload service one.

This new version comes with an internal file upload proxy, basically your file is first uploaded to a temporary script in Movim that then take care to upload it to your XMPP File Upload Service. This change makes all those configuration obsolete and greatly simplify the Movim deployment and configuration.

One small detail, please ensure that your PHP upload_max_filesize internal setting is large enough to handle the files that will be uploaded to the XMPP servers, somes are allowing up to a few hundreds megabytes for the maximum file sizes.

Automatic Nightmode 🌙

Movim is having a Nightmode toggle for a while already. A few internal changes is now allowing Movim to just follow your browser or operating system directives.

XEP-0410: MUC Self-Ping (Schrödinger's Chat)

As defined in the introduction of the XEP:

The Multi-User Chat (XEP-0045) [1] protocol was not designed to handle s2s interruptions or message loss well. Rather often, the restart of a server or a component causes a client to believe that it is still joined to a given chatroom, while the chatroom service does not know of this occupant.

Movim is now implementing the basic features of this XMPP extension and therefore automatically disconnect your from a chatroom if no activity was detected for a few minutes and if the ping doesn't come back positively. It was reported in the issue 1164.

Various other fixes

This version also fixes a few issues like a bug that prevented sometimes Movim to resynchronize the conversations history for one-to-one discussions, a SRV record certificate validation misconfiguration or a wrong priority of the XEP-0319: Last User Interaction over the XEP-0203: Delayed Delivery presences that were giving wrong information regarding your contact "last activity".

What's next?

This release should be the last one before some exciting huge set of features, with the support of the NLNet Fundation that will be integrated in Movim in the upcoming months. It seems that it should improve a few things regarding audio and video calls, stay tuned! 👀

Hope that you'll enjoy all those changes 😊

That's all folks!