IMO putting everything in one file makes it crammed, why not separate parts of the backend into separate files and call them from the main.py file? It improves readability and doesn't cause any harm to the functionality..

And using JSON for storing data is fine, but in my experience, it has caused significant overhead with large files. A database system should get rid of writing to multiple files manually (especially if you have multiple files open in the program at once), and decrease read/write times. sqlite may be a good idea, it's comes as a default Python library.

I know that this will take quite a lot of time to implement, I may be able to help.
Please do consider this, thanks!

When I was trying to get my own Meower Server to work on the Meower Client, I noticed that I could just login onto the normal server (using a development client) without any issues.

That's a problem!

Because I literally had an access to the secret moderation panel (through idk if it worked or not), and I had an access to everything! Creating posts, changing settings ETC....

That could lead to custom clients be able to connect to the Meower server.

Change the trust key ASAP!!

^

by adding a person to chat 2 times, you can cause the user to have some weird side effects, those include:

• Double posting
• Double joining
• Double member
  thats about it

i might be putting a temporary fix in svelte until its fixed

^

to repro (n svelte):

1. have an account with lots of gcs in
2. click load more

Recieving

Sadly, we could not take action on one of your recent reports. The content you reported was not severe enough to warrant action being taken. We still want to thank you for your help with keeping Meower a safe and welcoming place!

is one thing, but not even knowing what on earth that report was is another thing, and quite annoying too. Same goes for

We took action on one of your recent reports. Thank you for your help with keeping Meower a safe and welcoming place!

What recent report was taken action on???

Instead, Meower should send the messages containing the message and/or user that had their content/account taken action on.
Examples:

Sadly, we could not take action on one of your recent reports. The content you reported was not severe enough to warrant action being taken. We still want to thank you for your help with keeping Meower a safe and welcoming place!

Content reported: Welcome to Meower! We welcome you with open arms! You can get started by making friends in the global chat or home, or by searching for people and adding them to a group chat. We hope you have fun! (Inbox Message)

Sadly, we could not take action on one of your recent reports. The content you reported was not severe enough to warrant action being taken. We still want to thank you for your help with keeping Meower a safe and welcoming place!

User reported: @joshtheverynicenormaluser

We took action on one of your recent reports. Thank you for your help with keeping Meower a safe and welcoming place!

Content reported: am evil hacker ban me or will destroy meower (Posted by @definitelynotjoshtheveryevilhacker)

We took action on one of your recent reports. Thank you for your help with keeping Meower a safe and welcoming place!

User reported: @definitelynotjoshtheveryevilhacker

Currently at https://api.meower.org/ there is a placeholder but this page could be used for basic documentation, similar to that in the README but perhaps with more detail and examples. Alternatively the documentation could have its own /docs route. Thoughts?

Re: DM from @tnix100

TL;DR, This is a security vulnerability found in the Set ID command, originally used for unmodified CloudLink server users to specify a username. Since SetID is not used in Meower as it has been replaced with AutoID, it's functionality still remains, leading to this vuln...

How are you able to pull off this vulnerability?

By basicly logging into Meower with a valid account and waiting to gain the server's trust, then at the right moment setting your ID to be the ID of another account.

What will this security vulnerability let you achieve?

Depending on the timing it will have different outcomes.

1. It adds a "ghost client" to the ulist which cannot be logged out and causes the account to be "account jammed" (owner of account cannot login and will stay in ulist until server restarts).
2. It will replace your proper client's ID with the ID you chose to spoof, allowing you to gain full access over their account and even use moderator level commands if it is a moderator level account.

What actions did we (as in 'we' I mean William and I) take to protect Meower and it's users?

1. We deleted the DNS records for server.meower.org so no new traffic can enter the Cloudflare tunnel.
2. We tried to tell everyone to logout of Meower, this will cause them to not be able to log back in.
3. We made a maintenance page that replaced app.meower.org to let users know what's going on and direct them to the Discord for updates.
4. We made an announcement about this in updates to be transparent and let the users of Meower know what's going on.

Potential Fix

Not sure if this will patch everything related to this bug, but removing the 'setid' command from the Meower server is a good first step.

Solution: Disabling functionality within CloudLink Server, deeming the following commands...

1. setid
2. gmsg
3. gvar

...Disabled.

I think we should make a security policy for the main repositories (most importantly server). Right now GitHub just returns the whole security.py file as the security policy, which I honeslty find kinda funny.

would help in these ways:

• eliminate timing issues
• prevent any possible spoofing
• make openly's authentication thing that I'm making work
• make custom clients easier

^

Please, we need this

^

This feature will allow the user to view all account activity such as last login timestamp, last known IP address, and account creation timestamps.

This will also permit the user to provide an email to open up the possibility for an account recovery system as well as email-based notifications. More ideas suggested for this.

This should also implement an account deletion feature, as mentioned in https://github.com/meower-media-co/Meower/issues/96

Also, a much needed feature is the ability to change/reset account passwords, as mentioned in https://github.com/meower-media-co/Meower/issues/49

^

Current implementation as of now is to store home posts to /Meower/Posts/ and index these posts into a JSON file in /Meower/Categories/Home/ formatted as M:D:Y.json. This is inefficient for storage and can bug out if the file is larger than the maximum allowable packet size in CloudLink.

Possible improvement for this is to make post_home store posts in /Meower/Categories/Home/ instead and modify the get_home command to pull a directory listing of that directory, shorten it down to the most recent posts within the last hour, and trim if needed to even smaller amounts if the listing is larger than the maximum allowable packet size.

see the title

Use a conf.py file with the contents

from dotenv import dotenv_values
from os import enviorn as os_env

environ = {
  **dotenv_values(".env")
  **os_env
  }
  
def getenv(key: str, default=None) -> str:
       return  environ.get(key, default)

and import that instead

^

Since Beta 6 is not yet ready, the current Beta 5.x server's CL implementation will be upgraded to use Cloudlink 4.

a637dc9

When a client disconnects, there is a chance for the socket handler to not cause on close, so cloudlink is unable to delete the clients websocket connection.

In meower, this leads to always online (until restart) users or bots. Where the user or bot is unable to login to there account. Meower returns a internal error

When a socket is not deleted and you try to interact with it, it raises an error saying the client is closed.

Possible fix:
Catch the error and delete the client object and update ulist

Hello, i am making an (small) update to the servers but the py files not loading

@MikeDev101 @tnix100

Originally posted by Melt2002 December 18, 2021 not posted by william melt posted it melt posted it dont get it confused

^

^

Use watchdog library to detect changes, and use os.execv() to restart.

Whenever i assign a listener to the trust key, it wont respond with the listener once the server gets the msg sometimes

idk if its reproducable, but it needs to be fixed

Should be marked as urgent, as this would allow people to create a group chat with the name of an inappropriate message, then add people, sending an inappropriate message to their inbox.

Meower refuses to log ne in, it just says a E:103 error during the pass auth (i think) process (using cookies) and shows the server down screen

^

RCS is a feature originally featured in Yoom, which allowed moderators and the sysadmin to login to a special command prompt that allowed them to manage the server, view and respond to reports, delete/modify posts, and more.

Meower will have a level-of-trust system. It's levels are described below.

Level 1 - Only allow moderators to manage reports and delete posts. Applies to new moderators.
Level 2 - Also allow moderators to modify posts and block IP addresses. Promoted moderators only.
Level 3 - Permit moderators to create announcements. Only the most trusted moderators can get this level.
Level 4 - Sysadmin only, allows for all the above + ability to restart or shutdown the server at will.

This feature will function as an API making a staff page possible as well as the ability to moderate posts directly within Meower.
This feature will be helpful to develop a python GUI for managing the server.

This will also make possible the following feature: meower-media-co/Meower-Vanilla#97

Pretty self explanatory to anyone who has had their client glitch out from scratch json packets. This would essentially send an error code when someone attempts to send a scratch json packet, and simply reject it. (e.g. "E:023 | Scratch packet rejected" or "E:023 | Packet rejected".)

When using the command ip_ban it will only ban the user if they're not already in the users array for IP bans. This is a problem because if a user gets IP banned but comes online with another IP, that IP cannot be banned until their previous IP is unbanned through the ip_pardon command.

I feel as though ip_ban should ban their last IP (stored in their userdata), and ip_pardon should attempt to pardon every IP they've logged in with previously. If you agree I can make a PR to get this added.

oauth2 for meower

why?

makes custom clients ask for permission and never touch passwords

scopes

admin - meower admin
meower:status - check server status
meower:write - read and write posts
meower:chat - read and write public chat
meower:privchat - read and write private chat
meower:all - everything meower

A common thing people do is change their password, then forget it, but still remember their old one.

A useful feature would be to store the previous password (hashed) for 14 days after the password is changed.

When a password is entered, the server would check the main password, but if it doesn't match, it would check the previous password (if applicable).

If the password matches the previous password variable, but not the primary variable, it would send a status code informing the client that the password was valid within the past 14 days, but was changed (time) ago from a (device) in (location). It should not allow the user to log in as then anyone with the previous password can log in which is a security vulnerability.

Obviously, the time, device, and location info will need to come from somewhere other than a status code, for example, stored hashed by the previous password on the API.

I also have a mockup of a popup showing this feature put to use:

When the user contacts [email protected] to change the password, the support person should be able to switch the previous and primary password variables around, making the previous password the primary password. If emails are added in the CL4 port, you should also require a code from an email for added security.

^

In the future, meower will only have the trust key "meower". Due to how CloudLink's Trusted Access feature works, I cannot remove Trust Keys as it wouldn't work with a vanilla copy of CloudLink, and if I wanted to turn it off I would also need to disable IP blocking.

Instead, we just share a generic trust key "meower" and heavily improve authentication and other server-side protections.

This feature was also historically used as a version check, but in the future the server will implement a command to check the client's version string and compare it against a list of compatible versions, and will tell the client if it's out of date or not.

(from MB docs)
Specify the client headers. If a library is misbehaving, this will help us handle the issues that may cause by temporarily blacklisting the client versions.

(make this a required step in the process of connecting to the server.)

@tnix100

Issue: CL4 api endpoint authenticate command is not functional
Log:

[2023-02-02 10:07:30,913 | 1675350450.913019] (24412 - MainThread) INFO: Cloudlink server v0.1.9.2
[2023-02-02 10:07:30,957 | 1675350450.957789] (24412 - MainThread) INFO: server listening on 0.0.0.0:3001
[2023-02-02 10:08:33,186 | 1675350513.186868] (24412 - MainThread) INFO: connection open
[2023-02-02 10:08:33,186 | 1675350513.186868] (24412 - MainThread) INFO: Client 0 connected: 127.0.0.1
[2023-02-02 10:19:02,857 | 1675351142.857281] (24412 - MainThread) ERROR: Exception was raised: "'User' object has no attribute 'get_following'"
Traceback (most recent call last):
  File "D:\meower-server\meower\run_cl4.py", line 8, in <module>
    cl.run(ip="0.0.0.0", port=3001)
  File "D:\meower-server\meower\src\cl4\cloudlink\server\server.py", line 76, in run
    self.asyncio.run(self.__run__(ip, port))
  File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\runners.py", line 190, in run
    return runner.run(main)
  File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\runners.py", line 118, in run
    return self._loop.run_until_complete(task)
  File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\base_events.py", line 637, in run_until_complete
    self.run_forever()
  File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\windows_events.py", line 321, in run_forever
    super().run_forever()
  File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\base_events.py", line 604, in run_forever
    self._run_once()
  File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\base_events.py", line 1909, in _run_once
    handle._run()
  File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\asyncio\events.py", line 80, in _run
    self._context.run(self._callback, *self._args)
  File "C:\Users\Mike Renaker\AppData\Local\Programs\Python\Python311\Lib\site-packages\websockets\legacy\server.py", line 236, in handler
    await self.ws_handler(self)
  File "D:\meower-server\meower\src\cl4\cloudlink\server\server.py", line 563, in __handler__
    result = await self.__run_method__(client, message)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\meower-server\meower\src\cl4\cloudlink\server\server.py", line 475, in __run_method__
    return await self.__cl_method_handler__(client, message)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\meower-server\meower\src\cl4\cloudlink\server\server.py", line 410, in __cl_method_handler__
    await method(client, message, listener)
  File "D:\meower-server\meower\src\cl4\commands.py", line 60, in authenticate
    "following": session.user.get_following(),
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'User' object has no attribute 'get_following'

[2023-02-02 10:19:02,864 | 1675351142.864737] (24412 - MainThread) INFO: Client 0 disconnected: 127.0.0.1 - Code 1011 and reason "Unexpected exception was raised"
[2023-02-02 10:19:02,873 | 1675351142.873714] (24412 - MainThread) INFO: connection closed

mashedpotatos

Describe the bug
This is a test.

To Reproduce
Steps to reproduce the behavior:

1. Test

Expected behavior
Test

Screenshots

Desktop (please complete the following information):

• OS: Microsoft Windows 95 OSR2
• Browser: Netscape Navigator
• Version: 69.420

Smartphone (please complete the following information):

• Device: A Dollar Store Android phone
• OS: Android Lolipop (5.0)
• Browser: Chrome
• Version: 69.420

Additional context
This is a test

every page after 3 i believe for me atleast has the last 9 or so user querys be the same every time. may be different on other devices, an example of this is on the bettermeower 1.5.0 branch. or the diference between https://api.meower.org/search/users?autoget&page=15&q= and https://api.meower.org/search/users?autoget&page=14&q=

If the feature detects a username that already exists with a I, and the fake includes l, the server can return Account exists.

^

also will make possible the user notifs feature as mentioned in meower-media-co/Meower-Vanilla#23