Movim 0.24, codename Mueller is out. Let's dive in all the new exciting things that you can find in this new release!

What's new?

XEP-0386: Bind 2, XEP-0388: Extensible SASL Profile and XEP-0474: SASL SCRAM Downgrade Protection

Movim was definitely not the first one integrating those XMPP extensions but their implementation finally brings a much modern authentication stack to the project.

Bind 2 and Extensible SASL Profile greatly simplifies the authentication flow allowing Movim to connect (and reconnect) even faster, don't worry the older method is still there and will allow you to connect on #XMPP servers that don't support yet this new mechanism.

SASL SCRAM Downgrade Protection is a small security layer that sits on top of SASL (the authentication framework used by XMPP) to prevent channel-binding downgrades attack during the handshakes methods. It starts to be enforced by several servers nowadays such as ejabberd.

We would like to thank fabiang that did an awesome work on the #PHP #SASL library to add the SCRAM Downgrade Protection to it and allow a proper integration of the feature in Movim. Thanks!

Complete page navigation loading refactoring

You may not have seen it but a big #refactoring work was done under the hood to greatly simplify the navigation system in Movim.

This allows you to have a working and reliable "back-button" experience across the user interface. It is actually especially noticeable on mobile where the back button is used a lot to switch between the different UI elements (drawers, pages, sliders...).

This refactoring also fixed a few important bugs regarding the user interface internal events that were creating weird behaviors. For example, in some cases, when you were loading several time the same page in a row, the same event was attached several time to some buttons creating an mess when clicking on it.

And finally the browser - server connection (that relies on a Websocket) was also refactored and simplified fixing numerous connectivity bugs that we had until now.

Changes when publishing an article

The post publication form was slightly reorganized. The post privacy toggle was more clearly defined and another one, to disable comments and likes, was added next to it.

Interface improvements

Since its big rewrite in 2014 Movim relies on the Google #Material Design system. This version continue the integration of Material 3 with the redesign of the search and chat boxes as well as small forms and buttons details.

A new placeholder was also added when starting a new chat allowing you to quickly add the user to your contact list or block him.

Other fixes and improvements

A few #OMEMO bugs were also fixed, especially the bug #1261 that was preventing Movim users to decrypt their own messages in chatrooms.

We also fixed an annoying video-conferencing bug (#1274) that was preventing Movim to accept some specific audio and video calls. This allows Movim to process calls properly coming from #SIP bridges and to connect with SIP clients like Linphone !

We would like to especially thanks toastal for his several contributions to the project including internal image size picture management, a big refactoring of the internal language management system and some more minor interface and performances fixes.

What's next?

This version prepared the last important bricks required to introduce the early steps of the big audio and video-conferencing refactoring, especially with all the navigation and interface internal events management that was done the past few releases.

We will tell you more about it soon, stay tuned!

In the meantime, please share the good news around you and don't forget to update your server if you're an admin!

That's all folks!

Only a few months after Movim 0.21 - Whipple we are releasing Movim 0.22, codename Kowal.

This version was more focused on stabilization, cleanup and refactoring but also introduces a couple of new exciting features. It requires PHP8.1+ to work properly.

Let's dive in!

Blog privacy toggle

Already introduced in a previous blog post this new feature allow you to change your blog privacy level between "public" and "subscribers only".

Global OMEMO toggle

After some feedback from the community a global #OMEMO toggle was introduced in the settings. OMEMO is therefore disabled by default from this version.

This decision is especially linked with the current encryption implementation that relies on libsignal-protocol-javascript that is deprecated by their authors. The performances of this library are not that great, especially on mobile devices, which caused lots of accessibility issues for some Movim newcomers.

For now, no serious alternative are available, if you know one do not hesitate to tell us about it.

Fixes and improvement around audio-video calls

Several small tickets (#1212, #1213, #1214) linked to the the audio-video call integration and compatibility with other clients were fixed.

Missed and refused call events are also now tracked properly and displayed in your contacts conversations.

Cleaner URLs

The ? was (finally) removed in front of all the URLs! While being way cleaner it also fixes some issues when #Movim URLs were shared around, especially on some other social-networks. Don't worry about retro-compatibility, existing URLs are redirected to the new format.

Rewrite of the XEP-0077: In-Band Registration related code

Movim is supporting XEP-0077 for close than 10 years now and this code was never really refactored since then. All the #XMPP code, and related user flow, were cleaned and upgraded to the latest Movim standard, fixing a few issues in the meantime!

New Chat bubble design and interaction

Kowal introduce a totally new way of interacting with the chat bubbles.

While keeping the small actions icons on desktop it is now possible to simply click (or tap) on the bubbles to open a sub-menu which presents all the actions available.

This menu allows you to react, retract, reply and copy the message content in one click/tap. Easy!

Under the hood... or not

An important refactoring was done to simplify and factorize redundant items in the UI. This brought some big code cleanup, both on the front part (what is taking care of what you see) of Movim but also in the core and XMPP layers. The code was modernized and ported to PHP8.1+ in many places as well.

Several Pubsub related issues were fixed improving the compatibility with existing XMPP servers such as Prosody or ejabberd (see the related ticket). Movim now detect Pubsub nodes misconfiguration and reconfigure them properly to respect the privacy and settings specified in all the Pubsub related implemented XEPs that it supports.

This refactoring also brought some small UI improvements such as a new design for the contact status bubbles and a totally new way to handle Contacts and Communities avatars. We are strongly advising you to configure the Picture Proxy Cache on your Web Server when upgrading to greatly improve the page load time.

Two important security fixes

CVE-2023-2848 fixes a security issues that allows under certain circumstances to open a #Websocket to Movim from a different domain. It was fixed in this commit.

CVE-2023-2849 is not directly linked with Movim itself but the related server configuration.

When the domain that host upload files is the same as where Movim is hosted it is possible to upload a malicious Javascript file and execute it in the Movim sandbox. The attack surface is really minimal but we advise you to ensure that such case cannot happen on your instance. To do so you can use different domains between the two services or force the browser to handle all the uploaded files as attachments and not inline elements using a simple HTTP header:

    add_header Content-Disposition attachment;

What's next?

The multi-part audio and video-conference feature that was planned for the 0.22 is pushed back to the 0.23. The amount of work planned for that is quite big, therefore it was more relevant to move all the code cleanup and refactoring plans in Kowal and have this milestone before jumping into this new exciting feature set !

As always, if you find issues or want to share some feedback you have on the project, you can find how to contact us on our official website and our Github.

That's all folks!

We are happy to introduce Join Movim 🥳

Discover and explore all the existing public Movim servers and add yours to expand even more the federated network 🌍 !

An up-to-date Movim instance is required if you want to add yours to the list. The registration process is quite straightforward. The servers list is refreshed each hour.

#Movim #XMPP #federation #join