Provide phone number verification via SMS OTP using Prav app
Pirate Praveen
Public
Seen by 21
Currently we provide accounts on request and it involves a manual process. Prav is looking for gratis XMPP providers as a fallback option since Prav accounts need subscription and some people may not be able to/ want to pay. See https://codeberg.org/prav/pravserver/issues/21 for details. This would help us avoid the manual processing (we can still offer that to people who don't want phone number verification for more privacy) and prevent spam sign ups to a large extend (creating many phone numbers would be costly and riskier to do anonymously).
We will need to provide a component API to create users (may be later for directory query) and access to prav server to connect to this end point. ejabberd already has the required component code, we will have to write a component for prosody.
Buster Keaton Tue 25 Mar 2025 5:43PM
@Pirate Praveen Oh I see. Thank you for explaining.
At present there are 2 options Prav and Durare. If Prav creates Durare accounts, we will have 3 options, the third being a combo of 1 and 2. As long as the 2nd option i.e on-boarding without linking phone number exists, and custom username is made compulsory for Durare accounts, I guess it is fine. If it enables for easier onboarding, that is good.
At present, the data of users is stored in Durare's server only, after this, some identifiable data will be stored in Prav's server too. So, this takes away bit of control and adds more liability for what may happen with Prav's server. Maybe I am understanding it differently.
Pirate Praveen Tue 25 Mar 2025 6:46PM
@Buster Keaton Prav would store phone number to xmpp id mapping in the directory. It'd also add a reset password option via sms otp. We can add an option to turn off password reset via sms, but they must remember password. We could require both password and otp (though costwise we might be better with a 2FA app) too. We can give these as options to users.
perry
Tue 25 Mar 2025 9:06AM
Changing my vote to agree
Buster Keaton
Tue 25 Mar 2025 5:43PM
Same concern as of Kannan. Phone numbers of future Durare users will be on Prav server, and as a result maybe they are discoverable via phone numbers too? What if users want to have account at both at prav and durare? Will it be linked and and identified through query by other users? I wouldn't want that.
The only advantage I see for durare is of no manual account processing. It will be of help to volunteers, but I don't want to have more liability on our side.
Kannan V M
Wed 26 Mar 2025 5:58PM
As durare is a free software community hosted project, I would recommend it to collect minimum possible data, phone number can be an identifiable information, which will add more liability in our side.
UPDATE: Durare will maintain status quo, anyone can create account by request. This effort is to add a new method of registration, using prav and phone number.
Since the status quo will be maintained, and this is an additional capability provided by prav, I change my vote to agree.
Badri Sunderarajan Tue 18 Mar 2025 12:52PM
A hacky JavaScript library that connects through Metronome through telnet to create accounts. I don't remember why it was done this way instead of using metronomectl, but just putting it here in case it's helpful. (For context, Metronome is a fork of Prosody with many similarities)
Pirate Praveen Tue 18 Mar 2025 7:12PM
@Badri Sunderarajan we could run prosodyctl over ssh. If prosody has an admin api, we could use that over an ssh tunnel or tinc vpn.
Pirate Praveen Sun 23 Mar 2025 7:15PM
@Buster Keaton @perry prosody provide an http api to generate invite codes, right? Does that allow creating users too?
fugata Mon 31 Mar 2025 9:49AM
Looks like I missed this poll.
My main concern is complication of Prav's onboarding flow. In Quicksy, it's very simple - enter phone number, enter OTP, enter display name. If we want to focus on mass adoption, we have to keep it just that simple, and minimize requiring users to learn new terms or concepts.
Custom username option, quicksy.im accounts option, durare.org accounts option...all of them will introduce complication and mental overhead for new users.
Pirate Praveen · Sun 23 Mar 2025 6:11PM
@Buster Keaton Quicksy already allows people to link their phone numbers to any xmpp address including durare.org Prav could also offer that so people will be able to do this anyway. We are just making that option easier to use. The whole idea of Prav is to be discoverable by phone number. Those who don't want don't have to use Prav to talk to Prav users (that is the unique thing about this whole thing). I talk to many Prav users with my diasp.in or poddery.com already. If users want both accounts, they will have to link two phone numbers. Directory will be 1 phone number 1 xmpp id (at least right now). We could offer linking multiple ids too, but they will have to verify both phone number and xmpp id to be able to link. So even if we don't allow this integration, people will be able to link their durare.org id with a phone number. All of this is optional and they will always have an option to sign up manually without using a phone number.