Only a few months after #Movim 0.24 here comes Movim 0.25 Nagata!

Let's have a look at all the new features and fixes that you can find in this exciting #release.

What's new?

Message files refactoring

The attached #message files metadata are now moved to the Movim SQL database, this allows way more flexibility to handle then including the upcoming work on the multi-files per message feature.

Along this change comes the support of thumbhash. The general idea is to build a small blurred version of the image that can be transferred and store inside the message metadata and then render it as a placeholder for the image before it gets downloaded.

Internal file upload proxy, bye bye CORS!

When you upload a file on Movim, it is not store in Movim itself but directly on your #XMPP server File Upload Service.

This feature, defined in XEP-0363: HTTP File Upload is pretty useful and widely implemented in the XMPP ecosystem. However XMPP web clients, such as Movim, have to deal with browser related limitations called #CORS (Cross-origin resource sharing) that needs some more configuration on the XMPP servers to allow upload files from domains that are not the same as the XMPP file #upload service one.

This new version comes with an internal file upload proxy, basically your file is first uploaded to a temporary script in Movim that then take care to upload it to your XMPP File Upload Service. This change makes all those configuration obsolete and greatly simplify the Movim deployment and configuration.

One small detail, please ensure that your PHP upload_max_filesize internal setting is large enough to handle the files that will be uploaded to the XMPP servers, somes are allowing up to a few hundreds megabytes for the maximum file sizes.

Automatic Nightmode 🌙

Movim is having a Nightmode toggle for a while already. A few internal changes is now allowing Movim to just follow your browser or operating system directives.

XEP-0410: MUC Self-Ping (Schrödinger's Chat)

As defined in the introduction of the XEP:

The Multi-User Chat (XEP-0045) [1] protocol was not designed to handle s2s interruptions or message loss well. Rather often, the restart of a server or a component causes a client to believe that it is still joined to a given chatroom, while the chatroom service does not know of this occupant.

Movim is now implementing the basic features of this XMPP extension and therefore automatically disconnect your from a chatroom if no activity was detected for a few minutes and if the ping doesn't come back positively. It was reported in the issue 1164.

Various other fixes

This version also fixes a few issues like a bug that prevented sometimes Movim to resynchronize the conversations history for one-to-one discussions, a SRV record certificate validation misconfiguration or a wrong priority of the XEP-0319: Last User Interaction over the XEP-0203: Delayed Delivery presences that were giving wrong information regarding your contact "last activity".

What's next?

This release should be the last one before some exciting huge set of features, with the support of the NLNet Fundation that will be integrated in Movim in the upcoming months. It seems that it should improve a few things regarding audio and video calls, stay tuned! 👀

Hope that you'll enjoy all those changes 😊

That's all folks!

Movim 0.24, codename Mueller is out. Let's dive in all the new exciting things that you can find in this new release!

What's new?

XEP-0386: Bind 2, XEP-0388: Extensible SASL Profile and XEP-0474: SASL SCRAM Downgrade Protection

Movim was definitely not the first one integrating those XMPP extensions but their implementation finally brings a much modern authentication stack to the project.

Bind 2 and Extensible SASL Profile greatly simplifies the authentication flow allowing Movim to connect (and reconnect) even faster, don't worry the older method is still there and will allow you to connect on #XMPP servers that don't support yet this new mechanism.

SASL SCRAM Downgrade Protection is a small security layer that sits on top of SASL (the authentication framework used by XMPP) to prevent channel-binding downgrades attack during the handshakes methods. It starts to be enforced by several servers nowadays such as ejabberd.

We would like to thank fabiang that did an awesome work on the #PHP #SASL library to add the SCRAM Downgrade Protection to it and allow a proper integration of the feature in Movim. Thanks!

Complete page navigation loading refactoring

You may not have seen it but a big #refactoring work was done under the hood to greatly simplify the navigation system in Movim.

This allows you to have a working and reliable "back-button" experience across the user interface. It is actually especially noticeable on mobile where the back button is used a lot to switch between the different UI elements (drawers, pages, sliders...).

This refactoring also fixed a few important bugs regarding the user interface internal events that were creating weird behaviors. For example, in some cases, when you were loading several time the same page in a row, the same event was attached several time to some buttons creating an mess when clicking on it.

And finally the browser - server connection (that relies on a Websocket) was also refactored and simplified fixing numerous connectivity bugs that we had until now.

Changes when publishing an article

The post publication form was slightly reorganized. The post privacy toggle was more clearly defined and another one, to disable comments and likes, was added next to it.

Interface improvements

Since its big rewrite in 2014 Movim relies on the Google #Material Design system. This version continue the integration of Material 3 with the redesign of the search and chat boxes as well as small forms and buttons details.

A new placeholder was also added when starting a new chat allowing you to quickly add the user to your contact list or block him.

Other fixes and improvements

A few #OMEMO bugs were also fixed, especially the bug #1261 that was preventing Movim users to decrypt their own messages in chatrooms.

We also fixed an annoying video-conferencing bug (#1274) that was preventing Movim to accept some specific audio and video calls. This allows Movim to process calls properly coming from #SIP bridges and to connect with SIP clients like Linphone !

We would like to especially thanks toastal for his several contributions to the project including internal image size picture management, a big refactoring of the internal language management system and some more minor interface and performances fixes.

What's next?

This version prepared the last important bricks required to introduce the early steps of the big audio and video-conferencing refactoring, especially with all the navigation and interface internal events management that was done the past few releases.

We will tell you more about it soon, stay tuned!

In the meantime, please share the good news around you and don't forget to update your server if you're an admin!

That's all folks!

Only a few months after Movim 0.21 - Whipple we are releasing Movim 0.22, codename Kowal.

This version was more focused on stabilization, cleanup and refactoring but also introduces a couple of new exciting features. It requires PHP8.1+ to work properly.

Let's dive in!

Blog privacy toggle

Already introduced in a previous blog post this new feature allow you to change your blog privacy level between "public" and "subscribers only".

Global OMEMO toggle

After some feedback from the community a global #OMEMO toggle was introduced in the settings. OMEMO is therefore disabled by default from this version.

This decision is especially linked with the current encryption implementation that relies on libsignal-protocol-javascript that is deprecated by their authors. The performances of this library are not that great, especially on mobile devices, which caused lots of accessibility issues for some Movim newcomers.

For now, no serious alternative are available, if you know one do not hesitate to tell us about it.

Fixes and improvement around audio-video calls

Several small tickets (#1212, #1213, #1214) linked to the the audio-video call integration and compatibility with other clients were fixed.

Missed and refused call events are also now tracked properly and displayed in your contacts conversations.

Cleaner URLs

The ? was (finally) removed in front of all the URLs! While being way cleaner it also fixes some issues when #Movim URLs were shared around, especially on some other social-networks. Don't worry about retro-compatibility, existing URLs are redirected to the new format.

Rewrite of the XEP-0077: In-Band Registration related code

Movim is supporting XEP-0077 for close than 10 years now and this code was never really refactored since then. All the #XMPP code, and related user flow, were cleaned and upgraded to the latest Movim standard, fixing a few issues in the meantime!

New Chat bubble design and interaction

Kowal introduce a totally new way of interacting with the chat bubbles.

While keeping the small actions icons on desktop it is now possible to simply click (or tap) on the bubbles to open a sub-menu which presents all the actions available.

This menu allows you to react, retract, reply and copy the message content in one click/tap. Easy!

Under the hood... or not

An important refactoring was done to simplify and factorize redundant items in the UI. This brought some big code cleanup, both on the front part (what is taking care of what you see) of Movim but also in the core and XMPP layers. The code was modernized and ported to PHP8.1+ in many places as well.

Several Pubsub related issues were fixed improving the compatibility with existing XMPP servers such as Prosody or ejabberd (see the related ticket). Movim now detect Pubsub nodes misconfiguration and reconfigure them properly to respect the privacy and settings specified in all the Pubsub related implemented XEPs that it supports.

This refactoring also brought some small UI improvements such as a new design for the contact status bubbles and a totally new way to handle Contacts and Communities avatars. We are strongly advising you to configure the Picture Proxy Cache on your Web Server when upgrading to greatly improve the page load time.

Two important security fixes

CVE-2023-2848 fixes a security issues that allows under certain circumstances to open a #Websocket to Movim from a different domain. It was fixed in this commit.

CVE-2023-2849 is not directly linked with Movim itself but the related server configuration.

When the domain that host upload files is the same as where Movim is hosted it is possible to upload a malicious Javascript file and execute it in the Movim sandbox. The attack surface is really minimal but we advise you to ensure that such case cannot happen on your instance. To do so you can use different domains between the two services or force the browser to handle all the uploaded files as attachments and not inline elements using a simple HTTP header:

    add_header Content-Disposition attachment;

What's next?

The multi-part audio and video-conference feature that was planned for the 0.22 is pushed back to the 0.23. The amount of work planned for that is quite big, therefore it was more relevant to move all the code cleanup and refactoring plans in Kowal and have this milestone before jumping into this new exciting feature set !

As always, if you find issues or want to share some feedback you have on the project, you can find how to contact us on our official website and our Github.

That's all folks!

We are happy to introduce Join Movim 🥳

Discover and explore all the existing public Movim servers and add yours to expand even more the federated network 🌍 !

An up-to-date Movim instance is required if you want to add yours to the list. The registration process is quite straightforward. The servers list is refreshed each hour.

#Movim #XMPP #federation #join