[Standards] Disco#info queries on strangers PubSub nodes with access model 'open'
vanitasvitae at riseup.net
Thu Jun 28 08:36:38 UTC 2018
During the work on my GSoC project I stumbled across an issue with
PubSub and Service Discovery.
My server announces support for the PubSub access model 'open'.
Configuring a PubSub node with this access model, I expect users who are
not in my contact list to be able to fetch the contents of the node
without presence subscription. However, prior to fetching a PubSub node,
Smack will do a disco query on the node in order to get some information
about it like whether it is a LeafNode or a CollectionNode etc. My
server will respond to those queries with an error, stating that
subscription is required.
|16:08:18 SENT (0): <iq to='smack-inttest-two-txydb at server.tld'
node='urn:xmpp:openpgp:0:public-keys'></query></iq> 16:08:18 RECV (0):
<iq xml:lang='en' to='smack-inttest-one-txydb at server.tld/one-txydb'
from='smack-inttest-two-txydb at server.tld' type='error'
Talking to the server developers I was told that the error is returned
in order to prevent jid harvesting. That is determining whether the
account exists or not. However, I would argue that even if the server
keeps returning the error, jid harvesting would still be possible by
fetching the pubsub node directly without first doing the disco query.
My question now is: What is the expected behaviour of the server in this
case? There should be one specified 'correct' behaviour, right?
XEP-0060 §3 states, that implementations are required to respond to a
disco#info, while RFC-6120 §13.11 says that a server "might not return
any error at all in response to certain kinds of received stanzas, so
that a non-existent user appears to behave like a user that has no
interest in conversing with the sender".
In my case I will probably just use a small hack to directly query the
pubsub node without sending a disco#info as a workaround/fallback.
More information about the Standards