Lua 5.1 support removed

This is the first Prosody release that won’t support Lua 5.1, and this includes LuaJIT. While Lua 5.1 was a popular milestone for the Lua language and will likely live on for many years, maintaining backwards compatibility is a burden and was holding us back from adopting some nice APIs and features of more modern Lua versions.

Most distributions already supply newer Lua versions available and your package manager should figure everything out for you.

We recommend Lua 5.4 for most deployments, although Prosody will also run on Lua 5.2 and 5.3 for this release branch.

Note: Lua 5.4 support was lacking in Debian 11 and earlier. If Prosody complains about missing dependencies on your system when running with Lua 5.4, even though the dependencies appear to be installed, you may be encountering this problem. We recommend switching to an older Lua version such as 5.2 or 5.3 in this case. Or, you know, finally upgrading your OS :)

update-alternatives --config lua-interpreter

SQL schema changes

If you are upgrading from an earlier release and you use PostgreSQL or SQLite for storage, Prosody may refuse to initialize storage until you complete a schema upgrade. You may see log messages like this:

error    Old database format detected. Please run: prosodyctl mod_storage_sql upgrade

To check for any necessary schema upgrades and apply them, run:

prosodyctl mod_storage_sql upgrade

Restart Prosody (e.g. with systemctl restart prosody) after it completes.

Component permissions

With the introduction of the new roles and permissions framework, some default permissions have changed slightly. In most cases there is nothing you need to do, but some deployments may need tweaking.

The most common component module affected by the change is mod_http_file_share. It will work without any changes if your Component domain is a direct subdomain of your VirtualHost. This means if you have something like VirtualHost "example.com" and Component "upload.example.com" "http_file_share" then you’re all good!

Some more unusual configurations may need to explicitly set the permissions. This includes configurations where:

• The component is not a direct subdomain (e.g. VirtualHost "example.com" with Component "upload.xmpp.example.com" "http_file_share")
• The component is shared by multiple VirtualHosts

In both cases you are probably already using the disco_items option to link the component with the VirtualHost.

If you have a single VirtualHost using the component, then under the Component you can set the parent_host option:

Component "upload.example.com" "http_file_share"
  -- Grant permissions for users on the 'xmpp.example.com' VirtualHost
  parent_host = "xmpp.example.com"

If your component is used by multiple VirtualHosts, the easiest thing to do is grant the permissions to every VirtualHost on the current Prosody instance. For this, use the server_user_role option:

Component "upload.example.com" "http_file_share"
  -- Grant permission for all users on this Prosody instance
  server_user_role = "prosody:registered"

Manual SSL configuration issues

It was discovered after release that Prosody 13.0.0 does not honour manual SSL/TLS configuration for direct TLS ports. This includes HTTPS ports and XMPP “direct TLS” (usually port 5223), for example.

If you use the automatic certificate configuration, you are not affected by this.

If your configuration contains an ssl or *_ssl option such as https_ssl or c2s_direct_tls_ssl under a VirtualHost or Component, then in Prosody 13.0.0 this configuration will be ignored. Global options are still applied correctly.

Automatic certificate selection was introduced way back in Prosody 0.10 (2017) and most people are now using this method. While we encourage anyone who can to switch to automatic certificate loading, we understand that in some special cases it is necessary to override Prosody’s certificate selection and specify a certificate manually.

This change was unintentional and is tracked as issue #1915. We plan to fix it in an upcoming bugfix release.

Modules

A number of popular modules have transitioned from community modules into Prosody with this release:

• mod_cloud_notify
• mod_http_altconnect

And the following modules are completely new:

• mod_account_activity
• mod_flags
• mod_s2s_auth_dane_in
• mod_server_info

Administration

• New ‘prosodyctl check features’ recommends configuration improvements
• mod_announce: Add shell commands to send messages to all users, online users, or limited by roles
• New mod_account_activity plugin records last login/logout time of a user account
• New ‘watch log’ command to follow live debug logs at runtime
• Similarly, ‘watch stanzas’ can be used to capture XML logs in real-time

Networking

• Honour ‘weight’ parameter during SRV record selection
• Support for RFC 8305 “Happy Eyeballs” to improve IPv4/IPv6 connectivity
• Support for TCP Fast Open in server_epoll (pending LuaSocket support)
• Support for deferred accept in server_epoll (pending LuaSocket support)

MUC

• Component admins are no longer room owners by default. This can be reverted to the old behaviour with component_admins_as_room_owners = true, but this has known incompatibilities with some clients. Instead, use the shell or ad-hoc commands to gain ownership of rooms when necessary.
• Permissions updates:
  • Room creation restricted to local users (of the parent host) by default
    • restrict_room_creation = true restricts to admins, false disables all restrictions
  • Persistent rooms can only be created by local users (parent host) by default
    • muc_room_allow_persistent = false restricts to admins
  • Public rooms can only be created by local users (parent host) by default
    • muc_room_allow_public = false restricts to admins
• Commands to show occupants and affiliations in the Shell
• Save ‘reason’ text supplied with affiliation change
• Owners can set MUC avatars (functionality previously in community module mod_vcard_muc)

Security and authentication

• New role and permissions framework and API
• Ability to disable and enable user accounts
• A “grace period” is now supported for deletion requests via in-band registration
• Advertise supported SASL Channel-Binding types (XEP-0440)
• Implement RFC 9266 ‘tls-exporter’ channel binding with TLS 1.3
• Implement ‘tls-server-end-point’ channel binding
• Full DANE support for s2s
• No longer check certificate Common Names per RFC 9525

Storage

• Performance improvements in internal archive stores
• Ability to use SQLite3 storage with LuaSQLite3 instead of LuaDBI
• SQLCipher support

Module API for developers

• New ‘keyval+’ combined keyval/map store type
• Config interface API can require that string values be picked from a provided set
• Acceptable interval can be specified for number options
• Method for parsing time periods / intervals from config
• Method for retrieving integer settings from config
• It is now easy for modules to expose a Prosody shell command, by adding a shell-command item
• Modules can now implement a module.ready method which will be called after server initialization
• module:depends() now accepts a second parameter ‘soft’ to enable soft dependencies

Configuration file

• The configuration file now supports referring and appending to options previously set
• Direct usage of the Lua API in the config file is deprecated, but can now be accessed via Lua.* instead
• Convenience functions for reading values from files, with variant meant for credentials or secrets (e.g. from systemd-creds)