bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Olivier Certner]

When `erc-prompt-for-nickserv-password' is true, don't ignore the
other forms of identification.  Instead, process them first, and
prompt for the password last.  Separate concerns (determination of the
nick to use, of the password to use, and actual message sending).

Note that the user can be interactively prompted for a password on
reception of a Nickserv request, as before (on
`erc-prompt-for-nickserv-password').

This is a follow-up to #45340 (see end of discussion there for additional 
context).

Pull request with the single commit to be posted after the bug is open. 
Changes rebased on master.

-- 
Olivier Certner

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Olivier Certner]

Corresponding "pull request" (just for showing the diff):
https://github.com/OlCe2/emacs/pull/2

-- 
Olivier Certner

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Basil L. Contovounesios]

Olivier Certner <ocert.dev@free.fr> writes:

> Corresponding "pull request" (just for showing the diff):
> https://github.com/OlCe2/emacs/pull/2

Thanks, but I think it's generally easier/preferred to review patches
here if you send them as attachments.  See the file CONTRIBUTE.

-- 
Basil

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Olivier Certner]

[-- Attachment #1: Type: text/plain, Size: 36 bytes --]

Sure. Attached.

-- 
Olivier Certner

[-- Attachment #2: 0001-NickServ-identification-Prompt-for-password-last-ove.patch --]
[-- Type: text/x-patch, Size: 11938 bytes --]

From 0b3d0c7a53f4a9d14db8301a8e499bf62cab619a Mon Sep 17 00:00:00 2001
From: Olivier Certner <olce.emacs@certner.fr>
Date: Fri, 5 Feb 2021 15:34:50 +0100
Subject: [PATCH] NickServ identification: Prompt for password last, overall
 simplifications

When `erc-prompt-for-nickserv-password' is true, don't ignore the
other forms of identification.  Instead, process them first, and
prompt for the password last.  Separate concerns (determination of the
nick to use, of the password to use, and actual message sending).

Note that the user can be interactively prompted for a password on
reception of a Nickserv request, as before (on
`erc-prompt-for-nickserv-password').

* lisp/erc/erc-services.el (erc-nickserv-identify): Don't take the
password anymore as an argument (and don't prompt for it
interactively).  On the contrary, now take the nick to use for
identification (interactively, ask for it, defaulting to the current
one).  Move actual message sending into the new
`erc-nickserv-send-identify', and password prompting into
`erc-nickserv-get-password'.

(erc-nickserv-send-identify): New function containing the sending
code, given the nick and password.

(erc-nickserv-get-password): Try each password source in turn, in this
order: `erc-nickserv-passwords', auth-source (if
`erc-use-auth-source-for-nickserv-password' is true), and in the end
prompt the user interactively (if `erc-prompt-for-nickserv-password'
is true).  If one source returns a string, the function returns it, or
nil if the string is empty.

(erc-nickserv-call-identify-function): Remove.  It was necessary as a
cumbersome workaround for the fact that the code for password
prompting was in the `interactive' form of function
`erc-nickserv-identify' before this change.

(erc-nickserv-identify-autodetect, erc-nickserv-identify-on-connect)
(erc-nickserv-identify-on-nick-change): Call `erc-nickserv-identify'
directly (`erc-nickserv-call-identify-function' was removed).  For the
last two functions, remove the redundant checks on the Nickserv
identification flags (additionally, it is doubtful they have any
measurable impact on performance).
---
 etc/NEWS                 |  14 +++-
 lisp/erc/erc-services.el | 157 ++++++++++++++++++++++-----------------
 2 files changed, 99 insertions(+), 72 deletions(-)

diff --git a/etc/NEWS b/etc/NEWS
index caa366aaef..3fbf7c6b29 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -1528,14 +1528,20 @@ https://www.w3.org/TR/xml/#charsets).  Now it rejects such strings.
 
 ** erc
 
----
-*** erc-services.el now supports NickServ passwords from auth-source.
+*** NickServ passwords can now be retrieved from auth-source
 The 'erc-use-auth-source-for-nickserv-password' user option enables
 querying auth-source for NickServ passwords.  To enable this, add the
 following to your init file:
 
-    (setq erc-prompt-for-nickserv-password nil
-          erc-use-auth-source-for-nickserv-password t)
+    (setq erc-use-auth-source-for-nickserv-password t)
+
+*** NickServ identification now prompts for password last
+When 'erc-prompt-for-nickserv-password' is true, the user used to be
+unconditionally prompted interactively for a password, regardless of
+the content of `erc-nickserv-passwords', which was effectively ignored
+(same for the new 'erc-use-auth-source-for-nickserv-password').  This
+limitation is now removed, and the user is interactively prompted
+last, after the other identification methods have run.
 
 ---
 *** The '/ignore' command will now ask for a timeout to stop ignoring the user.
diff --git a/lisp/erc/erc-services.el b/lisp/erc/erc-services.el
index 9ef8b7f46a..3740e54672 100644
--- a/lisp/erc/erc-services.el
+++ b/lisp/erc/erc-services.el
@@ -170,9 +170,8 @@ You can also use \\[erc-nickserv-identify-mode] to change modes."
 
 (defcustom erc-use-auth-source-for-nickserv-password nil
   "Query auth-source for a password when identifiying to NickServ.
-This option has an no effect if `erc-prompt-for-nickserv-password'
-is non-nil, and passwords from `erc-nickserv-passwords' take
-precedence."
+Passwords from `erc-nickserv-passwords' take precedence.  See
+function `erc-nickserv-get-password'."
   :version "28.1"
   :group 'erc-services
   :type 'boolean)
@@ -400,85 +399,107 @@ password for this nickname, otherwise try to send it automatically."
 		 identify-regex
 		 (string-match identify-regex msg))
 	(erc-log "NickServ IDENTIFY request detected")
-	(erc-nickserv-call-identify-function nick)
+	(erc-nickserv-identify nick)
 	nil))))
 
 (defun erc-nickserv-identify-on-connect (_server nick)
   "Identify to Nickserv after the connection to the server is established."
-  (unless (or (and (null erc-nickserv-passwords)
-                   (null erc-prompt-for-nickserv-password)
-                   (null erc-use-auth-source-for-nickserv-password))
-              (and (eq erc-nickserv-identify-mode 'both)
-                   (erc-nickserv-alist-regexp (erc-network))))
-    (erc-nickserv-call-identify-function nick)))
+  (unless (and (eq erc-nickserv-identify-mode 'both)
+               (erc-nickserv-alist-regexp (erc-network)))
+    (erc-nickserv-identify nick)))
 
 (defun erc-nickserv-identify-on-nick-change (nick _old-nick)
   "Identify to Nickserv whenever your nick changes."
-  (unless (or (and (null erc-nickserv-passwords)
-                   (null erc-prompt-for-nickserv-password)
-                   (null erc-use-auth-source-for-nickserv-password))
-              (and (eq erc-nickserv-identify-mode 'both)
-                   (erc-nickserv-alist-regexp (erc-network))))
-    (erc-nickserv-call-identify-function nick)))
+  (unless (and (eq erc-nickserv-identify-mode 'both)
+               (erc-nickserv-alist-regexp (erc-network)))
+    (erc-nickserv-identify nick)))
 
-(defun erc-nickserv-get-password (nickname)
-  "Return the password for NICKNAME from configured sources.
+(defun erc-nickserv-get-password (nick)
+  "Return the password for NICK from configured sources.
+First, a password for NICK is looked up in
+`erc-nickserv-passwords'.  Then, it is looked up in auth-source
+if `erc-use-auth-source-for-nickserv-password' is not nil.
+Finally, interactively prompt the user, if
+`erc-prompt-for-nickserv-password' is true.
 
-It uses `erc-nickserv-passwords' and additionally auth-source
-when `erc-use-auth-source-for-nickserv-password' is not nil."
-  (or
-   (when erc-nickserv-passwords
-     (cdr (assoc nickname
-                 (nth 1 (assoc (erc-network)
-                               erc-nickserv-passwords)))))
-   (when erc-use-auth-source-for-nickserv-password
-     (let* ((secret (nth 0 (auth-source-search
-                            :max 1 :require '(:secret)
-                            :host (erc-with-server-buffer erc-session-server)
-                            :port (format ; ensure we have a string
-                                   "%s" (erc-with-server-buffer erc-session-port))
-                            :user nickname))))
-       (when secret
-         (let ((passwd (plist-get secret :secret)))
-           (if (functionp passwd) (funcall passwd) passwd)))))))
-
-(defun erc-nickserv-call-identify-function (nickname)
-  "Call `erc-nickserv-identify'.
-Either call it interactively or run it with NICKNAME's password,
-depending on the value of `erc-prompt-for-nickserv-password'."
-  (if erc-prompt-for-nickserv-password
-      (call-interactively 'erc-nickserv-identify)
-    (erc-nickserv-identify (erc-nickserv-get-password nickname))))
+As soon as some source returns a password, the sequence of
+lookups stops and this function returns it (or returns nil if it
+is empty).  Otherwise, no corresponding password was found, and
+it returns nil."
+  (let (network server port)
+    ;; Fill in local vars, switching to the server buffer once only
+    (erc-with-server-buffer
+     (setq network erc-network
+           server erc-session-server
+           port erc-session-port))
+    (let ((ret
+           (or
+            (when erc-nickserv-passwords
+              (cdr (assoc nick
+                          (cl-second (assoc network
+                                            erc-nickserv-passwords)))))
+            (when erc-use-auth-source-for-nickserv-password
+              (let ((secret (cl-first (auth-source-search
+                                       :max 1 :require '(:secret)
+                                       :host server
+                                       ;; Ensure a string for :port
+                                       :port (format "%s" port)
+                                       :user nick))))
+                (when secret
+                  (let ((passwd (plist-get secret :secret)))
+                    (if (functionp passwd) (funcall passwd) passwd)))))
+            (when erc-prompt-for-nickserv-password
+              (read-passwd
+               (format "NickServ password for %s on %s (RET to cancel): "
+                       nick network))))))
+      (when (and ret (not (string= ret "")))
+        ret))))
 
 (defvar erc-auto-discard-away)
 
-;;;###autoload
-(defun erc-nickserv-identify (password)
+(defun erc-nickserv-send-identify (nick password)
   "Send an \"identify <PASSWORD>\" message to NickServ.
-When called interactively, read the password using `read-passwd'."
+Returns t if the message could be sent, nil otherwise."
+  (let* ((erc-auto-discard-away nil)
+         (network (erc-network))
+         (nickserv-info (assoc network erc-nickserv-alist))
+         (nickserv (or (erc-nickserv-alist-nickserv nil nickserv-info)
+                       "NickServ"))
+         (identify-word (or (erc-nickserv-alist-ident-keyword
+                             nil nickserv-info)
+                            "IDENTIFY"))
+         (nick (if (erc-nickserv-alist-use-nick-p nil nickserv-info)
+                   (concat nick " ")
+                 ""))
+         (msgtype (or (erc-nickserv-alist-ident-command nil nickserv-info)
+                      "PRIVMSG")))
+    (erc-message msgtype
+                 (concat nickserv " " identify-word " " nick password))))
+
+;;;###autoload
+(defun erc-nickserv-identify (&optional nick)
+  "Identify to NickServ immediately.
+Identification will either use NICK or the current nick if not
+provided, and some password obtained through
+`erc-nickserv-get-password' (which see).  If no password can be
+found, an error is reported trough `erc-error'.
+
+Interactively, the user will be prompted for NICK, an empty
+string meaning to default to the current nick.
+
+Returns t if the identify message could be sent, nil otherwise."
   (interactive
-   (list (read-passwd
-	  (format "NickServ password for %s on %s (RET to cancel): "
-		  (erc-current-nick)
-		  (or (and (erc-network)
-			   (symbol-name (erc-network)))
-		      "Unknown network")))))
-  (when (and password (not (string= "" password)))
-    (let* ((erc-auto-discard-away nil)
-	   (network (erc-network))
-	   (nickserv-info (assoc network erc-nickserv-alist))
-	   (nickserv (or (erc-nickserv-alist-nickserv nil nickserv-info)
-			 "NickServ"))
-	   (identify-word (or (erc-nickserv-alist-ident-keyword
-			       nil nickserv-info)
-			      "IDENTIFY"))
-	   (nick (if (erc-nickserv-alist-use-nick-p nil nickserv-info)
-		     (concat (erc-current-nick) " ")
-		   ""))
-	   (msgtype (or (erc-nickserv-alist-ident-command nil nickserv-info)
-			"PRIVMSG")))
-      (erc-message msgtype
-		   (concat nickserv " " identify-word " " nick password)))))
+   (list
+    (read-from-minibuffer "Nickname: " nil nil nil
+                          'erc-nick-history-list (erc-current-nick))))
+  (unless (and nick (not (string= nick "")))
+    (setq nick (erc-current-nick)))
+  (let ((password (erc-nickserv-get-password nick)))
+    (if password
+        (erc-nickserv-send-identify nick password)
+      (erc-error "Cannot find a password for nickname %s"
+                 nick)
+      nil)))
 
 (provide 'erc-services)
 
-- 
2.30.0

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[J.P.]

Hi Olivier,

I'm sure you know this, but for others, both files have changed since
this patch was created. It applies cleanly for me atop this commit:

  297c0e0306f111c1e7564b2bb49a7e1a925a55bb

Okay, the layout of this module is a bit confusing to me. Perhaps that's
because it's regarded as an entry point of some kind and therefore
special? In the commentary, it says to enable it explicitly using the
minor mode interface (rather than add it to erc-modules). However, I
notice that the :set function for the option erc-nickserv-identify-mode
goes ahead and activates it in all the ways that matter (but the minor-
mode variable).

So no matter what, the function of the same name is called, which then
sets the same custom option (possibly again). I guess that's what that
comment about avoiding "recursive load at startup" is all about? For
now, I'll just assume something fancy's going on I don't yet comprehend.
(Maybe I'll check the old mailing list for clues.)

In general, I'm somewhat inclined to regard this module as nonessential
and legacy focused because it's not loaded by default and because these
days, things seem to be trending toward fewer interactions with nick
services beyond initial setup (where manual piloting is required
anyway). However, I think this module receives a fair amount of
attention on #emacs and elsewhere, so we might as well abide. Because I
don't use it myself, I'll spare you any dubious hands on feedback and
stick to the self-interested stuff affecting those improvements I'd like
to see in ERC for this coming release.

So, despite its specialness, I'm rather confident this module and your
changes to it will be spared the brunt of the library-wide modifications
I have in store. Basically, this would be a reorienting of ERC's notion
of connection identities toward a more network-centric view.

This module already depends on erc-networks, which is good. This means
most of what I'll be tweaking will be auth-source related. But I won't
touch any options concerning the when and the why of it all, which is
what you and Leon have addressed. I'll instead likely only be messing
with the arguments to the one auth-source-search invocation. If you're
interested in details, please follow bug #48598.

A couple specifics. In erc-nickserv-get-password,

    (erc-with-server-buffer
     (setq network erc-network
                   ^~~~~~~~~~~~
           server erc-session-server
           port erc-session-port))

would you mind using the function form of erc-network instead? I'm
focusing a lot on that one symbol in particular, and it'd be nice to
keep things consistent for now, if it's all the same to you.

My other note concerns erc-nickserv-identify. Assuming debug-on-error is
nil, it looks like this dings whenever erc-nickserv-get-password comes
up empty, which I guess can only happen when the three main
password-related user options are all nil (or the prompt gets
dismissed).

So, worst case scenario, people get dinged a few times straight away:
maybe once just after MOTD and once just before, in the case of an
initial re-NICK, and maybe again from a "please identify"/"nick taken"
NOTICE. But being Emacs users, they'd know to check *Messages* for
details (is that the idea?). If there's a realistic chance of a more
intense onslaught, I suppose one alternative might be to print something
to the active buffer using erc-display-error-notice instead. But you
know better than I, having actually used this.

Not sure if you're aware, but there's a bit of an integration going on
between erc-join.el and this module via erc-nickserv-identified-hook.
The autojoin module is pretty confusing, and my current bug addresses
some of that. My question for you is: do networks punish folks for
repeated failed JOIN attempts while unauthed? IOW, any clue whether
major IRCds or service daemons auto-TKLINE (or similar) for such
behavior? If there *is* a risk, I'd rather fix things on the autojoin
side because inhibiting timers during read-passwd would affect PONGs and
the outgoing flood queue, etc.

BTW, have you considered maybe generalizing this entire module (while
preserving the interface) to make it work with *any* services bot, e.g.,
FooServ, and not just nick-related stuff?

So, yeah, now comes the part where I admit to not having actually fired
this up and put it through its paces. But I'm certainly willing to if
you'd like the extra peace of mind. Shouldn't take more than a couple
days (i.e., nanoseconds to the yogi you've surely become by now). Let me
know, and thanks.

J.P.

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Olivier Certner]

Hi,

> I'm sure you know this, but for others, both files have changed since
> this patch was created. It applies cleanly for me atop this commit: 
>   297c0e0306f111c1e7564b2bb49a7e1a925a55bb

I didn't check for a long time because of the legal part taking so long (more 
than 7 months, I opted for public domain first but switched to regular 
copyright assignment thanks to the grant back) and because I'm maintaining 
private patches over Emacs 27.1.

I have very limited time at the moment, so I'm sure I'm not going to be able 
to look at it before next week, and perhaps even before next month. Are you 
(or is someone) aware of the expected release cycle for 28.1?

> Okay, the layout of this module is a bit confusing to me. Perhaps that's
> because it's regarded as an entry point of some kind and therefore
> special? In the commentary, it says to enable it explicitly using the
> minor mode interface (rather than add it to erc-modules). However, I
> notice that the :set function for the option erc-nickserv-identify-mode
> goes ahead and activates it in all the ways that matter (but the minor-
> mode variable).

Didn't dig that, but can tell you "services" indeed works when added to `erc-
modules', since this is how I'm using it. If I don't put it there, no autojoin 
happens when NickServ responds.

> In general, I'm somewhat inclined to regard this module as nonessential
> and legacy focused because it's not loaded by default and because these
> days, things seem to be trending toward fewer interactions with nick
> services beyond initial setup (where manual piloting is required
> anyway). However, I think this module receives a fair amount of
> attention on #emacs and elsewhere, so we might as well abide. Because I
> don't use it myself, I'll spare you any dubious hands on feedback and
> stick to the self-interested stuff affecting those improvements I'd like
> to see in ERC for this coming release.

I've seen you sent a big mail entitled "buffer-naming collisions involving 
bouncers in ERC" but only had time for a quick glance.

As for interaction with NickServ, every new direct connection to servers need 
to authenticate with NickServ when using a registered nick. I don't know how 
bouncers work, but I suspect they do authentication differently, so I suspect 
your view is that of a user of bouncers.

Architecturally, I don't know (yet) if having this module separate is a good 
thing going ahead, but on the other hand I think the need for auto-joining is 
very real (again, may be wrong with bouncers; do they automatically forward 
all messages from all channels they are in to clients connecting to them? or 
is there a specific mechanism to obtain the messages from specific channels?).
And autojoining cannot work effectively if users are not automatically 
identified before (when using registered nicks). So the module/architecture 
may be obsolete, but I don't think the needs themselves are.
 
> This module already depends on erc-networks, which is good. This means
> most of what I'll be tweaking will be auth-source related. But I won't
> touch any options concerning the when and the why of it all, which is
> what you and Leon have addressed. I'll instead likely only be messing
> with the arguments to the one auth-source-search invocation. If you're
> interested in details, please follow bug #48598.

Given my limited time at the moment, yes, it would be best that your changes 
are quite small if you want me to review them.

I'll follow up with #48598 when I can.

So here's a first proposal:
1. I rebase the changes on current master.
2. We address what needs to be addressed with respect to your other patches.

Provided, indeed, that I have time to do it quickly enough for 28.1's release. 
If not we'll have to find another plan.
 
> A couple specifics. In erc-nickserv-get-password,
> 
>     (erc-with-server-buffer
>      (setq network erc-network
>                    ^~~~~~~~~~~~
>            server erc-session-server
>            port erc-session-port))
> 
> would you mind using the function form of erc-network instead? I'm
> focusing a lot on that one symbol in particular, and it'd be nice to
> keep things consistent for now, if it's all the same to you.

In principle I don't mind. But I also prefer simplicity as much as possible. 
If I chose this, it's probably because using the function had no added value. 
If the buffer-local variable and the function are indeed going to differ 
(hopefully you have good reasons for this) in your plans, of course we can 
switch.

In ERC in general, I've found that there are too many buffer-local variables 
and accessor functions in the sense that they are redundant, that you don't 
necessarily know in which buffer to look for which variable (current buffer? 
server buffer? other?), and that multiple variables seem to contain 
approximately the same information (but not exactly, that would be too 
simple). Proper accessors could solve part of these problems (doing that with 
a minimal amount of buffer switching is more work, but can wait for later).

> My other note concerns erc-nickserv-identify. Assuming debug-on-error is
> nil, it looks like this dings whenever erc-nickserv-get-password comes
> up empty, which I guess can only happen when the three main
> password-related user options are all nil (or the prompt gets
> dismissed).
> 
> So, worst case scenario, people get dinged a few times straight away:
> maybe once just after MOTD and once just before, in the case of an
> initial re-NICK, and maybe again from a "please identify"/"nick taken"
> NOTICE. But being Emacs users, they'd know to check *Messages* for
> details (is that the idea?). If there's a realistic chance of a more
> intense onslaught, I suppose one alternative might be to print something
> to the active buffer using erc-display-error-notice instead. But you
> know better than I, having actually used this.

I get prompted once only (in fact, now not at all, since I use auth-source). I 
never re-NICK. What are re-NICKs used for? To wear cloaks after regular log 
in? In this case, I assume NickServ authentication is needed for logging in, 
but not to switch to the cloak? Sorry, I'm not yet very versed in the 
subtleties of IRC, contrary to what you may think.

I don't think a priori that there is a problem in dinging the user per se, 
even a few times. The problem is rather whether the process should take place 
or not (i.e., should NickServ identification happen in the first place? see 
questions on re-NICK above) and when (dinging is OK if close to an event 
triggered by the user, which if I remember correctly is the case now except 
for delayed autojoining, if the delay is too long).

> Not sure if you're aware, but there's a bit of an integration going on
> between erc-join.el and this module via erc-nickserv-identified-hook.
> The autojoin module is pretty confusing, and my current bug addresses
> some of that. My question for you is: do networks punish folks for
> repeated failed JOIN attempts while unauthed? IOW, any clue whether
> major IRCds or service daemons auto-TKLINE (or similar) for such
> behavior? If there *is* a risk, I'd rather fix things on the autojoin
> side because inhibiting timers during read-passwd would affect PONGs and
> the outgoing flood queue, etc.

Not sure what you are referring to here. Maybe after fully reading bugs and 
mails, things will get clear, but for now they are rather obscure. Trying 
anyway:
1. I can't answer your question about being banned if attempting too much to 
join while not authenticated. But why is this even a problem? In which case 
are we going to repeatedly join some channel after a failed attempt?
2. `read-passwd' doesn't inhibit timers (AFAIK). Why would you want to inhibit 
timers there? Having a time out in `erc-nickserv-identify' would be great yes. 
Is this what you are talking about?

> BTW, have you considered maybe generalizing this entire module (while
> preserving the interface) to make it work with *any* services bot, e.g.,
> FooServ, and not just nick-related stuff?

Not at this point, because I don't know IRC enough, and I'm not using other 
services bot. What would doing this buy us? I can't answer that now.

That said, I think we (at least, I) should rather focus on needs and 
mechanisms (e.g., such as authentication), and then deal with actual 
implementations, possibly involving bots (e.g., NickServ for auth).

-- 
Olivier Certner

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[J.P.]

> I have very limited time at the moment, so I'm sure I'm not going to be able 
> to look at it before next week, and perhaps even before next month. Are you 
> (or is someone) aware of the expected release cycle for 28.1?

Thanks for the time window. It would be nice to get the patches you have
open into ERC before the next release, but I'm clueless as to when
that's slated to occur.

> Didn't dig that, but can tell you "services" indeed works when added to `erc-
> modules', since this is how I'm using it. If I don't put it there, no autojoin 
> happens when NickServ responds.

I wasn't worried about it not supporting the modules interface. I was
concerned that setting `erc-nickserv-identify-mode' in a config via
`set-variable' or similar would effectively turn it "on" by registering
its hooks even though `erc-services-mode' (the variable) would still be
nil (because this module isn't loaded by default). Regardless, shouldn't
we try to keep those in sync? If not, and module-based minor modes
shouldn't be used to detect whether a module is active and its features
enabled, then we've got to fix that in the code (right?), perhaps
starting with

  (unless erc-networks-mode
    ;; Force-enable networks module, because we need it to set
    ;; erc-network for us.
    (erc-networks-enable))

in (the function) `erc-nickserv-identify-mode' itself.

> I've seen you sent a big mail entitled "buffer-naming collisions involving 
> bouncers in ERC" but only had time for a quick glance.
>
> As for interaction with NickServ, every new direct connection to servers need 
> to authenticate with NickServ when using a registered nick. I don't know how 
> bouncers work, but I suspect they do authentication differently, so I suspect 
> your view is that of a user of bouncers.

I should apologize for not de-emphasizing "bouncer" in reference to my
concerns being influenced by that bug (#48598), which for me is merely a
convenient means of addressing larger fundamental problems in ERC.

> Architecturally, I don't know (yet) if having this module separate is a good 
> thing going ahead, but on the other hand I think the need for auto-joining is 
> very real (again, may be wrong with bouncers; do they automatically forward 
> all messages from all channels they are in to clients connecting to them? or 
> is there a specific mechanism to obtain the messages from specific channels?).
> And autojoining cannot work effectively if users are not automatically 
> identified before (when using registered nicks). So the module/architecture 
> may be obsolete, but I don't think the needs themselves are.

The real problem (to my knowledge) is that there's no consensus around
how an IRC server should tell a client it's been authenticated (work may
be ongoing in this area). For now though, since there's no formal
concept of "accounts," you're either granted the nick you requested
during opening introductions or you're not.

How one goes about creating the conditions for such "granting" to occur
successfully depends on the various methods available to the client and
the server. Extensions like SASL support (part of the v3 initiative) and
Cert FP, which uses client certificates, are two examples of methods
currently employed by networks and servers to address this.

Personally, I wouldn't like to see this module loaded by default unless
we can state confidently that the way in which it goes about solving
this problem, namely engaging nick services with heuristics-driven,
TCL-expect style exchanges (which is fine) is the right thing for most
users (it very well may be).

More on this general topic of what determines a session in my bug's
thread (#48598).

> Given my limited time at the moment, yes, it would be best that your changes 
> are quite small if you want me to review them.

For this module, that's looking likely.

> I'll follow up with #48598 when I can.
>
> So here's a first proposal:
> 1. I rebase the changes on current master.
> 2. We address what needs to be addressed with respect to your other patches.

Step 2 isn't really necessary unless you feel up to it. I'm fine with
just dropping it rather than having us waste time coordinating around
something that's still mostly fluid.

>> A couple specifics. In erc-nickserv-get-password,
>> [...]
>> would you mind using the function form of erc-network instead?

Don't bother with this. I shouldn't have brought it up.

> In ERC in general, I've found that there are too many buffer-local variables 
> and accessor functions in the sense that they are redundant, that you don't 
> necessarily know in which buffer to look for which variable (current buffer? 
> server buffer? other?), and that multiple variables seem to contain 
> approximately the same information (but not exactly, that would be too 
> simple). Proper accessors could solve part of these problems (doing that with 
> a minimal amount of buffer switching is more work, but can wait for later).

We definitely agree on this point. At the moment though, I'm trying to
resist refactoring in this area in full. Instead, I'd like to turn this
corner in stages, the first adding whatever's necessary to tackle #48598
(which again, has to do with much more than just bouncers).

> I get prompted once only (in fact, now not at all, since I use auth-source). I 
> never re-NICK. What are re-NICKs used for? To wear cloaks after regular log 
> in? In this case, I assume NickServ authentication is needed for logging in, 
> but not to switch to the cloak? Sorry, I'm not yet very versed in the 
> subtleties of IRC, contrary to what you may think.

By re-NICK, I meant the server sending you a

  :you`!~you@yours NICK :you

once you've been authenticated. Do you not get these?

In terms of dinging, I wasn't really referring to your personal
experience but rather a worst case for an unlucky user. As long as the
error message and how it's displayed is sufficient for getting someone
on their way toward fixing the issue, then fine by me.

> 1. I can't answer your question about being banned if attempting too much to 
> join while not authenticated. But why is this even a problem? In which case 
> are we going to repeatedly join some channel after a failed attempt?

Don't worry about the ban thing. This was based on my carelessly missing
the fact that `erc-nickserv-identified-hook' only runs after you're
successfully authenticated. For whatever reason, I thought it ran on 376
when `erc-nickserv-identify-on-connect' fires, but that's not the case.

Currently, the first autojoin timer is only set on 376 and fires after
30 seconds. In the most unlikely scenario, an unlucky user with no auth
source and no options configured and who can't get their act together
before the timer runs will only log a single failed attempt. Clearly not
something to worry about. I doubt any public network would consider that
an infraction.

Also fueling my original concern was this phenomenon we've been seeing
of various networks enacting stricter policies for some IP ranges and
individuals. That this would somehow involve attempts to use the network
before being auth'd was unfounded speculation on my part.

> 2. `read-passwd' doesn't inhibit timers (AFAIK). Why would you want to inhibit 
> timers there? Having a time out in `erc-nickserv-identify' would be great yes. 
> Is this what you are talking about?

Sorry, that wasn't clear. I didn't mean to imply `read-passwd' inhibited
timers while running. I meant we shouldn't do that as a sad workaround
for postponing JOIN timers.

bug#46777: Updated patch

[Olivier Certner]

[-- Attachment #1: Type: text/plain, Size: 159 bytes --]

Patch slightly edited (commit message, doc text) and rebased on top of a 
recent 'master'. Ready to apply. Easy to backport to 27 as well.

-- 
Olivier Certner

[-- Attachment #2: 0001-ERC-NickServ-Prompt-for-password-last-overall-simpli.patch --]
[-- Type: text/x-patch, Size: 11849 bytes --]

From 70d13beadc2c2d6dbb36e277ab47fa6cc1ae3903 Mon Sep 17 00:00:00 2001
From: Olivier Certner <olce.emacs@certner.fr>
Date: Fri, 5 Feb 2021 15:34:50 +0100
Subject: [PATCH] ERC: NickServ: Prompt for password last, overall
 simplifications (bug#46777)

When `erc-prompt-for-nickserv-password' is true, don't ignore the
other forms of identification.  Instead, process them first, and
prompt for the password last.  Separate concerns (determination of the
nick to use, of the password to use, and actual message sending).

Note that the user can be interactively prompted for a password on
reception of a Nickserv request, as before (on
`erc-prompt-for-nickserv-password').

* lisp/erc/erc-services.el (erc-nickserv-identify): Don't take the
password anymore as an argument (and don't prompt for it
interactively).  On the contrary, now take the nick to use for
identification (interactively, ask for it, defaulting to the current
one).  Move actual message sending into the new
`erc-nickserv-send-identify', and password prompting into
`erc-nickserv-get-password'.

(erc-nickserv-send-identify): New function containing the sending
code, given the nick and password.

(erc-nickserv-get-password): Try each password source in turn, in this
order: `erc-nickserv-passwords', auth-source (if
`erc-use-auth-source-for-nickserv-password' is true), and in the end
prompt the user interactively (if `erc-prompt-for-nickserv-password'
is true).  If one source returns a string, the function returns it, or
nil if the string is empty.

(erc-nickserv-call-identify-function): Remove.  It was necessary as a
cumbersome workaround for the fact that the code for password
prompting was in the `interactive' form of function
`erc-nickserv-identify' before this change.

(erc-nickserv-identify-autodetect, erc-nickserv-identify-on-connect)
(erc-nickserv-identify-on-nick-change): Call `erc-nickserv-identify'
directly (`erc-nickserv-call-identify-function' was removed).  For the
last two functions, remove the redundant checks on the Nickserv
identification flags (additionally, it is doubtful they have any
measurable impact on performance).
---
 etc/NEWS                 |  14 +++-
 lisp/erc/erc-services.el | 157 ++++++++++++++++++++++-----------------
 2 files changed, 99 insertions(+), 72 deletions(-)

diff --git a/etc/NEWS b/etc/NEWS
index c3eaf5fcbb..af2aa21905 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -1948,14 +1948,20 @@ https://www.w3.org/TR/xml/#charsets).  Now it rejects such strings.
 
 ** erc
 
----
-*** erc-services.el now supports NickServ passwords from auth-source.
+*** NickServ passwords can now be retrieved from auth-source
 The 'erc-use-auth-source-for-nickserv-password' user option enables
 querying auth-source for NickServ passwords.  To enable this, add the
 following to your init file:
 
-    (setq erc-prompt-for-nickserv-password nil
-          erc-use-auth-source-for-nickserv-password t)
+    (setq erc-use-auth-source-for-nickserv-password t)
+
+*** NickServ identification now prompts for password last
+When 'erc-prompt-for-nickserv-password' is true, the user used to be
+unconditionally prompted interactively for a password, regardless of
+the content of `erc-nickserv-passwords', which was effectively ignored
+(same for the new 'erc-use-auth-source-for-nickserv-password').  This
+limitation is now removed, and the user is interactively prompted
+last, after the other identification methods have run.
 
 ---
 *** The '/ignore' command will now ask for a timeout to stop ignoring the user.
diff --git a/lisp/erc/erc-services.el b/lisp/erc/erc-services.el
index 61006e0c02..4233b4a322 100644
--- a/lisp/erc/erc-services.el
+++ b/lisp/erc/erc-services.el
@@ -169,9 +169,8 @@ erc-prompt-for-nickserv-password
 
 (defcustom erc-use-auth-source-for-nickserv-password nil
   "Query auth-source for a password when identifiying to NickServ.
-This option has an no effect if `erc-prompt-for-nickserv-password'
-is non-nil, and passwords from `erc-nickserv-passwords' take
-precedence."
+Passwords from `erc-nickserv-passwords' take precedence.  See
+function `erc-nickserv-get-password'."
   :version "28.1"
   :type 'boolean)
 
@@ -405,85 +404,107 @@ erc-nickserv-identify-autodetect
 		 identify-regex
 		 (string-match identify-regex msg))
 	(erc-log "NickServ IDENTIFY request detected")
-	(erc-nickserv-call-identify-function nick)
+	(erc-nickserv-identify nick)
 	nil))))
 
 (defun erc-nickserv-identify-on-connect (_server nick)
   "Identify to Nickserv after the connection to the server is established."
-  (unless (or (and (null erc-nickserv-passwords)
-                   (null erc-prompt-for-nickserv-password)
-                   (null erc-use-auth-source-for-nickserv-password))
-              (and (eq erc-nickserv-identify-mode 'both)
-                   (erc-nickserv-alist-regexp (erc-network))))
-    (erc-nickserv-call-identify-function nick)))
+  (unless (and (eq erc-nickserv-identify-mode 'both)
+               (erc-nickserv-alist-regexp (erc-network)))
+    (erc-nickserv-identify nick)))
 
 (defun erc-nickserv-identify-on-nick-change (nick _old-nick)
   "Identify to Nickserv whenever your nick changes."
-  (unless (or (and (null erc-nickserv-passwords)
-                   (null erc-prompt-for-nickserv-password)
-                   (null erc-use-auth-source-for-nickserv-password))
-              (and (eq erc-nickserv-identify-mode 'both)
-                   (erc-nickserv-alist-regexp (erc-network))))
-    (erc-nickserv-call-identify-function nick)))
+  (unless (and (eq erc-nickserv-identify-mode 'both)
+               (erc-nickserv-alist-regexp (erc-network)))
+    (erc-nickserv-identify nick)))
 
-(defun erc-nickserv-get-password (nickname)
-  "Return the password for NICKNAME from configured sources.
+(defun erc-nickserv-get-password (nick)
+  "Return the password for NICK from configured sources.
+First, a password for NICK is looked up in
+`erc-nickserv-passwords'.  Then, it is looked up in auth-source
+if `erc-use-auth-source-for-nickserv-password' is not nil.
+Finally, interactively prompt the user, if
+`erc-prompt-for-nickserv-password' is true.
 
-It uses `erc-nickserv-passwords' and additionally auth-source
-when `erc-use-auth-source-for-nickserv-password' is not nil."
-  (or
-   (when erc-nickserv-passwords
-     (cdr (assoc nickname
-                 (nth 1 (assoc (erc-network)
-                               erc-nickserv-passwords)))))
-   (when erc-use-auth-source-for-nickserv-password
-     (let* ((secret (nth 0 (auth-source-search
-                            :max 1 :require '(:secret)
-                            :host (erc-with-server-buffer erc-session-server)
-                            :port (format ; ensure we have a string
-                                   "%s" (erc-with-server-buffer erc-session-port))
-                            :user nickname))))
-       (when secret
-         (let ((passwd (plist-get secret :secret)))
-           (if (functionp passwd) (funcall passwd) passwd)))))))
-
-(defun erc-nickserv-call-identify-function (nickname)
-  "Call `erc-nickserv-identify'.
-Either call it interactively or run it with NICKNAME's password,
-depending on the value of `erc-prompt-for-nickserv-password'."
-  (if erc-prompt-for-nickserv-password
-      (call-interactively 'erc-nickserv-identify)
-    (erc-nickserv-identify (erc-nickserv-get-password nickname))))
+As soon as some source returns a password, the sequence of
+lookups stops and this function returns it (or returns nil if it
+is empty).  Otherwise, no corresponding password was found, and
+it returns nil."
+  (let (network server port)
+    ;; Fill in local vars, switching to the server buffer once only
+    (erc-with-server-buffer
+     (setq network erc-network
+           server erc-session-server
+           port erc-session-port))
+    (let ((ret
+           (or
+            (when erc-nickserv-passwords
+              (cdr (assoc nick
+                          (cl-second (assoc network
+                                            erc-nickserv-passwords)))))
+            (when erc-use-auth-source-for-nickserv-password
+              (let ((secret (cl-first (auth-source-search
+                                       :max 1 :require '(:secret)
+                                       :host server
+                                       ;; Ensure a string for :port
+                                       :port (format "%s" port)
+                                       :user nick))))
+                (when secret
+                  (let ((passwd (plist-get secret :secret)))
+                    (if (functionp passwd) (funcall passwd) passwd)))))
+            (when erc-prompt-for-nickserv-password
+              (read-passwd
+               (format "NickServ password for %s on %s (RET to cancel): "
+                       nick network))))))
+      (when (and ret (not (string= ret "")))
+        ret))))
 
 (defvar erc-auto-discard-away)
 
-;;;###autoload
-(defun erc-nickserv-identify (password)
+(defun erc-nickserv-send-identify (nick password)
   "Send an \"identify <PASSWORD>\" message to NickServ.
-When called interactively, read the password using `read-passwd'."
+Returns t if the message could be sent, nil otherwise."
+  (let* ((erc-auto-discard-away nil)
+         (network (erc-network))
+         (nickserv-info (assoc network erc-nickserv-alist))
+         (nickserv (or (erc-nickserv-alist-nickserv nil nickserv-info)
+                       "NickServ"))
+         (identify-word (or (erc-nickserv-alist-ident-keyword
+                             nil nickserv-info)
+                            "IDENTIFY"))
+         (nick (if (erc-nickserv-alist-use-nick-p nil nickserv-info)
+                   (concat nick " ")
+                 ""))
+         (msgtype (or (erc-nickserv-alist-ident-command nil nickserv-info)
+                      "PRIVMSG")))
+    (erc-message msgtype
+                 (concat nickserv " " identify-word " " nick password))))
+
+;;;###autoload
+(defun erc-nickserv-identify (&optional nick)
+  "Identify to NickServ immediately.
+Identification will either use NICK or the current nick if not
+provided, and some password obtained through
+`erc-nickserv-get-password' (which see).  If no password can be
+found, an error is reported trough `erc-error'.
+
+Interactively, the user will be prompted for NICK, an empty
+string meaning to default to the current nick.
+
+Returns t if the identify message could be sent, nil otherwise."
   (interactive
-   (list (read-passwd
-	  (format "NickServ password for %s on %s (RET to cancel): "
-		  (erc-current-nick)
-		  (or (and (erc-network)
-			   (symbol-name (erc-network)))
-		      "Unknown network")))))
-  (when (and password (not (string= "" password)))
-    (let* ((erc-auto-discard-away nil)
-	   (network (erc-network))
-	   (nickserv-info (assoc network erc-nickserv-alist))
-	   (nickserv (or (erc-nickserv-alist-nickserv nil nickserv-info)
-			 "NickServ"))
-	   (identify-word (or (erc-nickserv-alist-ident-keyword
-			       nil nickserv-info)
-			      "IDENTIFY"))
-	   (nick (if (erc-nickserv-alist-use-nick-p nil nickserv-info)
-		     (concat (erc-current-nick) " ")
-		   ""))
-	   (msgtype (or (erc-nickserv-alist-ident-command nil nickserv-info)
-			"PRIVMSG")))
-      (erc-message msgtype
-		   (concat nickserv " " identify-word " " nick password)))))
+   (list
+    (read-from-minibuffer "Nickname: " nil nil nil
+                          'erc-nick-history-list (erc-current-nick))))
+  (unless (and nick (not (string= nick "")))
+    (setq nick (erc-current-nick)))
+  (let ((password (erc-nickserv-get-password nick)))
+    (if password
+        (erc-nickserv-send-identify nick password)
+      (erc-error "Cannot find a password for nickname %s"
+                 nick)
+      nil)))
 
 (provide 'erc-services)
 
-- 
2.30.0

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Lars Ingebrigtsen]

Olivier Certner <olce.emacs@certner.fr> writes:

> Patch slightly edited (commit message, doc text) and rebased on top of a 
> recent 'master'. Ready to apply. Easy to backport to 27 as well.

Amin, have you found time to look at this patch from Olivier (and the
other three (I think) patches)?  If you can't find the time, I can
examine them and get them applied.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Amin Bandali]

Hi Lars, all,

Lars Ingebrigtsen writes:

> Olivier Certner <olce.emacs@certner.fr> writes:
>
>> Patch slightly edited (commit message, doc text) and rebased on top of a 
>> recent 'master'. Ready to apply. Easy to backport to 27 as well.
>
> Amin, have you found time to look at this patch from Olivier (and the
> other three (I think) patches)?  If you can't find the time, I can
> examine them and get them applied.

Apologies for my slow reply and absence.  I haven't been well for a few
weeks, and didn't have the time and energy to do much outside of work.
Thankfully I am better now, and expect to be able to review Olivier's
patches and hopefully get them applied in the coming days, starting
tomorrow.  If not, I'll let you all know so you could review and apply
them, thanks!

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Lars Ingebrigtsen]

Amin Bandali <bandali@gnu.org> writes:

> Apologies for my slow reply and absence.  I haven't been well for a few
> weeks, and didn't have the time and energy to do much outside of work.
> Thankfully I am better now, and expect to be able to review Olivier's
> patches and hopefully get them applied in the coming days, starting
> tomorrow.  If not, I'll let you all know so you could review and apply
> them, thanks!

Great!  (Well, not great that you haven't been feeling well, but that
you're better.  :-))

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[J.P.]

Olivier Certner <olce.emacs@certner.fr> writes:

> * lisp/erc/erc-services.el (erc-nickserv-identify): Don't take the
> password anymore as an argument (and don't prompt for it
> interactively).  On the contrary, now take the nick to use for
> identification (interactively, ask for it, defaulting to the current
> one).  Move actual message sending into the new
> `erc-nickserv-send-identify', and password prompting into
> `erc-nickserv-get-password'.
>
> [...]
>
> -;;;###autoload
> -(defun erc-nickserv-identify (password)
> [...]
> +;;;###autoload
> +(defun erc-nickserv-identify (&optional nick)
> +  "Identify to NickServ immediately.

Hi Olivier, this concerns your changes to the autoloaded command
`erc-nickserv-identify'. Someone seeking help for a loosely related
issue shared this on Libera today:

  (defun uh-erc-identify ()
    (let ((pass
           (let ((s (shell-command-to-string "pass malc@irc.libera.chat")))
             (substring s 0 -1))))
      (erc-nickserv-identify pass)))

It strikes me that other folks may be doing the same, namely, using this
function in lisp code. So just to settle some imaginary nerves, it might
help to flesh out exactly why there's little risk of something
unfortunate/scary happening as a result of this interface change.

As I see it, the worst case scenario is that your password is sent in
place of your nick and ends up in the network's logs (where passwords
are normally redacted). If that's a realistic concern, perhaps you
should consider keeping the password param in its original position
for the sake of compatibility. Just a thought.

Also, I think the addition of the nick param bears some justifying too
because it may not be clear from your commit log and emails (or #45340)
why this is necessary. For me, the param is needed because some IRCds
and services daemons won't let you auth by passing your currently
assigned (perhaps unregistered) nick. In other words:

  PRIVMSG NickServ :IDENTIFY bob` mypass

or

  PRIVMSG NickServ :IDENTIFY mypass

won't work if you're trying to identify as "bob" and are currently
"bob`". But without the nick param you've added, a user would be forced
to issue the IRC command manually. Hope that's clear.

BTW, I've noticed that many services automatically re-NICK you as
confirmation of success, triggering `erc-nick-changed-functions', which
`erc-nickserv-identify-on-nick-change' is a member of by default. So you
get prompted again for no reason. (As you may be aware, double prompting
has also come up recently in the ERC channel, but I suspect the two are
unrelated.)

Anyway, I doubt you'll recall, but I tried (rather unconvincingly) to
raise this point earlier in this bug thread. If addressing this isn't in
the cards, then hopefully we can get a ruling on this patch and start
putting the days of scraping NickServ replies behind us (and begin
embracing the evolving standard). Thanks.

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[J.P.]

[-- Attachment #1: Type: text/plain, Size: 1274 bytes --]

"J.P." <jp@neverwas.me> writes:

> If that's a realistic concern, perhaps you should consider keeping the
> password param in its original position for the sake of compatibility.

Recent discussions have left me with the impression that at least one
consequential voice may be harboring reservations about the proposed
interface change to `erc-nickserv-identify'. I'd like to offer some
thoughts towards salvaging (at a minimum) the "prompting as a fallback"
portion of this patch, which I feel may be helpful to new users.

As a side note, the few changes that appear motivated mostly by
promoting a separation of concerns seem at worst benign and otherwise
potentially beneficial beyond maintenance matters (IMO). For example,
adding a helper, like the proposed `erc-nickserv-send-identify', to
encapsulate the actual request-making may improve this module's utility
as a traditional library. (A few bots may even appreciate that.)

Regarding the perceived minor bone of contention, my instincts favor the
bold move, as usual. But that's contingent on all things being equal,
which they likely aren't here (because passwords), meaning progressive
attitudes may have to take a back seat. So as a compromise, how about an
ugly chimera like the one in the attached example?


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0000-NOT-A-PATCH-discussion-example.diff --]
[-- Type: text/x-patch, Size: 3866 bytes --]

From 8ede558f8b7885e97bced96f5d06206ecb23a719 Mon Sep 17 00:00:00 2001
From: "F. Jason Park" <jp@neverwas.me>
Date: Mon, 13 Sep 2021 22:24:57 -0700
Subject: NOT A PATCH

Rebased atop

  commit 25ebb9374bdadf66153727831fc7ff131c8cf299
  Author: Stefan Kangas <stefan@marxist.se>
  Date:   Tue Sep 14 07:55:56 2021 +0200

      ; More minor docfixes found by checkdoc

for easier am-ing, should anyone want to inspect the changes in-tree.

Also, one tweak to the commit message isn't shown in the diff below but has to
do with no longer removing erc-nickserv-call-identity-function. In general,
I'm pretty much indifferent about preserving a revised rendition of that
function as a disembodied wrapper for erc-nickserv-identify. On the one hand,
anyone desperate/resourceful enough to have sought out the original (way back
whenever) should be capable of taking a little churn in stride. That said, if
I were enumerating things to delete from ERC, I'm not sure that'd make the top
ten.

Olivier Certner (1):
  ERC: NickServ: Prompt for password last, overall simplifications
    (bug#46777)

 etc/NEWS                 |  13 ++-
 lisp/erc/erc-services.el | 168 +++++++++++++++++++++++----------------
 2 files changed, 108 insertions(+), 73 deletions(-)

Interdiff:
diff --git a/lisp/erc/erc-services.el b/lisp/erc/erc-services.el
index 4233b4a322..adb3f521cd 100644
--- a/lisp/erc/erc-services.el
+++ b/lisp/erc/erc-services.el
@@ -404,20 +404,20 @@ erc-nickserv-identify-autodetect
 		 identify-regex
 		 (string-match identify-regex msg))
 	(erc-log "NickServ IDENTIFY request detected")
-	(erc-nickserv-identify nick)
+        (erc-nickserv-identify nil nick)
 	nil))))
 
 (defun erc-nickserv-identify-on-connect (_server nick)
   "Identify to Nickserv after the connection to the server is established."
   (unless (and (eq erc-nickserv-identify-mode 'both)
                (erc-nickserv-alist-regexp (erc-network)))
-    (erc-nickserv-identify nick)))
+    (erc-nickserv-identify nil nick)))
 
 (defun erc-nickserv-identify-on-nick-change (nick _old-nick)
   "Identify to Nickserv whenever your nick changes."
   (unless (and (eq erc-nickserv-identify-mode 'both)
                (erc-nickserv-alist-regexp (erc-network)))
-    (erc-nickserv-identify nick)))
+    (erc-nickserv-identify nil nick)))
 
 (defun erc-nickserv-get-password (nick)
   "Return the password for NICK from configured sources.
@@ -481,8 +481,13 @@ erc-nickserv-send-identify
     (erc-message msgtype
                  (concat nickserv " " identify-word " " nick password))))
 
+(defun erc-nickserv-call-identify-function (nickname)
+  "Call `erc-nickserv-identify' with NICKNAME."
+  (declare (obsolete erc-nickserv-identify "28.1"))
+  (erc-nickserv-identify nil nickname))
+
 ;;;###autoload
-(defun erc-nickserv-identify (&optional nick)
+(defun erc-nickserv-identify (&optional password nick)
   "Identify to NickServ immediately.
 Identification will either use NICK or the current nick if not
 provided, and some password obtained through
@@ -495,16 +500,18 @@ erc-nickserv-identify
 Returns t if the identify message could be sent, nil otherwise."
   (interactive
    (list
+    nil
     (read-from-minibuffer "Nickname: " nil nil nil
                           'erc-nick-history-list (erc-current-nick))))
   (unless (and nick (not (string= nick "")))
     (setq nick (erc-current-nick)))
-  (let ((password (erc-nickserv-get-password nick)))
-    (if password
-        (erc-nickserv-send-identify nick password)
-      (erc-error "Cannot find a password for nickname %s"
-                 nick)
-      nil)))
+  (unless password
+    (setq password (erc-nickserv-get-password nick)))
+  (if password
+      (erc-nickserv-send-identify nick password)
+    (erc-error "Cannot find a password for nickname %s"
+               nick)
+    nil))
 
 (provide 'erc-services)
 
-- 
2.31.1


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: 0001-ERC-NickServ-Prompt-for-password-last-overall-simpli.patch --]
[-- Type: text/x-patch, Size: 12025 bytes --]

From 99a110fa6d2f2be7b86bbf7a0c84089f19a1f584 Mon Sep 17 00:00:00 2001
From: Olivier Certner <olce.emacs@certner.fr>
Date: Fri, 5 Feb 2021 15:34:50 +0100
Subject: [PATCH 1/1] ERC: NickServ: Prompt for password last, overall
 simplifications (bug#46777)

When `erc-prompt-for-nickserv-password' is true, don't ignore the
other forms of identification.  Instead, process them first, and
prompt for the password last.  Separate concerns (determination of the
nick to use, of the password to use, and actual message sending).

Note that the user can be interactively prompted for a password on
reception of a Nickserv request, as before (on
`erc-prompt-for-nickserv-password').

* lisp/erc/erc-services.el (erc-nickserv-identify): Don't take the
password anymore as an argument (and don't prompt for it
interactively).  On the contrary, now take the nick to use for
identification (interactively, ask for it, defaulting to the current
one).  Move actual message sending into the new
`erc-nickserv-send-identify', and password prompting into
`erc-nickserv-get-password'.

(erc-nickserv-send-identify): New function containing the sending
code, given the nick and password.

(erc-nickserv-get-password): Try each password source in turn, in this
order: `erc-nickserv-passwords', auth-source (if
`erc-use-auth-source-for-nickserv-password' is true), and in the end
prompt the user interactively (if `erc-prompt-for-nickserv-password'
is true).  If one source returns a string, the function returns it, or
nil if the string is empty.

(erc-nickserv-call-identify-function): Retained for compatibility but
deprecated for simplicity. Prefer invoking erc-nickserv-identify
directly instead.

(erc-nickserv-identify-autodetect, erc-nickserv-identify-on-connect)
(erc-nickserv-identify-on-nick-change): Call `erc-nickserv-identify'
directly (`erc-nickserv-call-identify-function' was removed).  For the
last two functions, remove the redundant checks on the Nickserv
identification flags (additionally, it is doubtful they have any
measurable impact on performance).
---
 etc/NEWS                 |  13 ++-
 lisp/erc/erc-services.el | 168 +++++++++++++++++++++++----------------
 2 files changed, 108 insertions(+), 73 deletions(-)

diff --git a/etc/NEWS b/etc/NEWS
index d4f4c81f89..f9f14ea68f 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -2618,13 +2618,20 @@ Interactively, 'C-u C-c C-o' triggers this new optional behavior.
 ** ERC
 
 ---
-*** erc-services.el now supports NickServ passwords from auth-source.
+*** NickServ passwords can now be retrieved from auth-source
 The 'erc-use-auth-source-for-nickserv-password' user option enables
 querying auth-source for NickServ passwords.  To enable this, add the
 following to your init file:
 
-    (setq erc-prompt-for-nickserv-password nil
-          erc-use-auth-source-for-nickserv-password t)
+    (setq erc-use-auth-source-for-nickserv-password t)
+
+*** NickServ identification now prompts for password last
+When 'erc-prompt-for-nickserv-password' is true, the user used to be
+unconditionally prompted interactively for a password, regardless of
+the content of `erc-nickserv-passwords', which was effectively ignored
+(same for the new 'erc-use-auth-source-for-nickserv-password').  This
+limitation is now removed, and the user is interactively prompted
+last, after the other identification methods have run.
 
 ---
 *** The '/ignore' command will now ask for a timeout to stop ignoring the user.
diff --git a/lisp/erc/erc-services.el b/lisp/erc/erc-services.el
index 61006e0c02..adb3f521cd 100644
--- a/lisp/erc/erc-services.el
+++ b/lisp/erc/erc-services.el
@@ -169,9 +169,8 @@ erc-prompt-for-nickserv-password
 
 (defcustom erc-use-auth-source-for-nickserv-password nil
   "Query auth-source for a password when identifiying to NickServ.
-This option has an no effect if `erc-prompt-for-nickserv-password'
-is non-nil, and passwords from `erc-nickserv-passwords' take
-precedence."
+Passwords from `erc-nickserv-passwords' take precedence.  See
+function `erc-nickserv-get-password'."
   :version "28.1"
   :type 'boolean)
 
@@ -405,85 +404,114 @@ erc-nickserv-identify-autodetect
 		 identify-regex
 		 (string-match identify-regex msg))
 	(erc-log "NickServ IDENTIFY request detected")
-	(erc-nickserv-call-identify-function nick)
+        (erc-nickserv-identify nil nick)
 	nil))))
 
 (defun erc-nickserv-identify-on-connect (_server nick)
   "Identify to Nickserv after the connection to the server is established."
-  (unless (or (and (null erc-nickserv-passwords)
-                   (null erc-prompt-for-nickserv-password)
-                   (null erc-use-auth-source-for-nickserv-password))
-              (and (eq erc-nickserv-identify-mode 'both)
-                   (erc-nickserv-alist-regexp (erc-network))))
-    (erc-nickserv-call-identify-function nick)))
+  (unless (and (eq erc-nickserv-identify-mode 'both)
+               (erc-nickserv-alist-regexp (erc-network)))
+    (erc-nickserv-identify nil nick)))
 
 (defun erc-nickserv-identify-on-nick-change (nick _old-nick)
   "Identify to Nickserv whenever your nick changes."
-  (unless (or (and (null erc-nickserv-passwords)
-                   (null erc-prompt-for-nickserv-password)
-                   (null erc-use-auth-source-for-nickserv-password))
-              (and (eq erc-nickserv-identify-mode 'both)
-                   (erc-nickserv-alist-regexp (erc-network))))
-    (erc-nickserv-call-identify-function nick)))
-
-(defun erc-nickserv-get-password (nickname)
-  "Return the password for NICKNAME from configured sources.
-
-It uses `erc-nickserv-passwords' and additionally auth-source
-when `erc-use-auth-source-for-nickserv-password' is not nil."
-  (or
-   (when erc-nickserv-passwords
-     (cdr (assoc nickname
-                 (nth 1 (assoc (erc-network)
-                               erc-nickserv-passwords)))))
-   (when erc-use-auth-source-for-nickserv-password
-     (let* ((secret (nth 0 (auth-source-search
-                            :max 1 :require '(:secret)
-                            :host (erc-with-server-buffer erc-session-server)
-                            :port (format ; ensure we have a string
-                                   "%s" (erc-with-server-buffer erc-session-port))
-                            :user nickname))))
-       (when secret
-         (let ((passwd (plist-get secret :secret)))
-           (if (functionp passwd) (funcall passwd) passwd)))))))
-
-(defun erc-nickserv-call-identify-function (nickname)
-  "Call `erc-nickserv-identify'.
-Either call it interactively or run it with NICKNAME's password,
-depending on the value of `erc-prompt-for-nickserv-password'."
-  (if erc-prompt-for-nickserv-password
-      (call-interactively 'erc-nickserv-identify)
-    (erc-nickserv-identify (erc-nickserv-get-password nickname))))
+  (unless (and (eq erc-nickserv-identify-mode 'both)
+               (erc-nickserv-alist-regexp (erc-network)))
+    (erc-nickserv-identify nil nick)))
+
+(defun erc-nickserv-get-password (nick)
+  "Return the password for NICK from configured sources.
+First, a password for NICK is looked up in
+`erc-nickserv-passwords'.  Then, it is looked up in auth-source
+if `erc-use-auth-source-for-nickserv-password' is not nil.
+Finally, interactively prompt the user, if
+`erc-prompt-for-nickserv-password' is true.
+
+As soon as some source returns a password, the sequence of
+lookups stops and this function returns it (or returns nil if it
+is empty).  Otherwise, no corresponding password was found, and
+it returns nil."
+  (let (network server port)
+    ;; Fill in local vars, switching to the server buffer once only
+    (erc-with-server-buffer
+     (setq network erc-network
+           server erc-session-server
+           port erc-session-port))
+    (let ((ret
+           (or
+            (when erc-nickserv-passwords
+              (cdr (assoc nick
+                          (cl-second (assoc network
+                                            erc-nickserv-passwords)))))
+            (when erc-use-auth-source-for-nickserv-password
+              (let ((secret (cl-first (auth-source-search
+                                       :max 1 :require '(:secret)
+                                       :host server
+                                       ;; Ensure a string for :port
+                                       :port (format "%s" port)
+                                       :user nick))))
+                (when secret
+                  (let ((passwd (plist-get secret :secret)))
+                    (if (functionp passwd) (funcall passwd) passwd)))))
+            (when erc-prompt-for-nickserv-password
+              (read-passwd
+               (format "NickServ password for %s on %s (RET to cancel): "
+                       nick network))))))
+      (when (and ret (not (string= ret "")))
+        ret))))
 
 (defvar erc-auto-discard-away)
 
-;;;###autoload
-(defun erc-nickserv-identify (password)
+(defun erc-nickserv-send-identify (nick password)
   "Send an \"identify <PASSWORD>\" message to NickServ.
-When called interactively, read the password using `read-passwd'."
+Returns t if the message could be sent, nil otherwise."
+  (let* ((erc-auto-discard-away nil)
+         (network (erc-network))
+         (nickserv-info (assoc network erc-nickserv-alist))
+         (nickserv (or (erc-nickserv-alist-nickserv nil nickserv-info)
+                       "NickServ"))
+         (identify-word (or (erc-nickserv-alist-ident-keyword
+                             nil nickserv-info)
+                            "IDENTIFY"))
+         (nick (if (erc-nickserv-alist-use-nick-p nil nickserv-info)
+                   (concat nick " ")
+                 ""))
+         (msgtype (or (erc-nickserv-alist-ident-command nil nickserv-info)
+                      "PRIVMSG")))
+    (erc-message msgtype
+                 (concat nickserv " " identify-word " " nick password))))
+
+(defun erc-nickserv-call-identify-function (nickname)
+  "Call `erc-nickserv-identify' with NICKNAME."
+  (declare (obsolete erc-nickserv-identify "28.1"))
+  (erc-nickserv-identify nil nickname))
+
+;;;###autoload
+(defun erc-nickserv-identify (&optional password nick)
+  "Identify to NickServ immediately.
+Identification will either use NICK or the current nick if not
+provided, and some password obtained through
+`erc-nickserv-get-password' (which see).  If no password can be
+found, an error is reported trough `erc-error'.
+
+Interactively, the user will be prompted for NICK, an empty
+string meaning to default to the current nick.
+
+Returns t if the identify message could be sent, nil otherwise."
   (interactive
-   (list (read-passwd
-	  (format "NickServ password for %s on %s (RET to cancel): "
-		  (erc-current-nick)
-		  (or (and (erc-network)
-			   (symbol-name (erc-network)))
-		      "Unknown network")))))
-  (when (and password (not (string= "" password)))
-    (let* ((erc-auto-discard-away nil)
-	   (network (erc-network))
-	   (nickserv-info (assoc network erc-nickserv-alist))
-	   (nickserv (or (erc-nickserv-alist-nickserv nil nickserv-info)
-			 "NickServ"))
-	   (identify-word (or (erc-nickserv-alist-ident-keyword
-			       nil nickserv-info)
-			      "IDENTIFY"))
-	   (nick (if (erc-nickserv-alist-use-nick-p nil nickserv-info)
-		     (concat (erc-current-nick) " ")
-		   ""))
-	   (msgtype (or (erc-nickserv-alist-ident-command nil nickserv-info)
-			"PRIVMSG")))
-      (erc-message msgtype
-		   (concat nickserv " " identify-word " " nick password)))))
+   (list
+    nil
+    (read-from-minibuffer "Nickname: " nil nil nil
+                          'erc-nick-history-list (erc-current-nick))))
+  (unless (and nick (not (string= nick "")))
+    (setq nick (erc-current-nick)))
+  (unless password
+    (setq password (erc-nickserv-get-password nick)))
+  (if password
+      (erc-nickserv-send-identify nick password)
+    (erc-error "Cannot find a password for nickname %s"
+               nick)
+    nil))
 
 (provide 'erc-services)
 
-- 
2.31.1

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Amin Bandali]

Hi all,

J.P. writes:

> "J.P." <jp@neverwas.me> writes:
>
>> If that's a realistic concern, perhaps you should consider keeping the
>> password param in its original position for the sake of compatibility.
>
> Recent discussions have left me with the impression that at least one
> consequential voice may be harboring reservations about the proposed
> interface change to `erc-nickserv-identify'. I'd like to offer some
> thoughts towards salvaging (at a minimum) the "prompting as a fallback"
> portion of this patch, which I feel may be helpful to new users.
>
> As a side note, the few changes that appear motivated mostly by
> promoting a separation of concerns seem at worst benign and otherwise
> potentially beneficial beyond maintenance matters (IMO). For example,
> adding a helper, like the proposed `erc-nickserv-send-identify', to
> encapsulate the actual request-making may improve this module's utility
> as a traditional library. (A few bots may even appreciate that.)
>
> Regarding the perceived minor bone of contention, my instincts favor the
> bold move, as usual. But that's contingent on all things being equal,
> which they likely aren't here (because passwords), meaning progressive
> attitudes may have to take a back seat. So as a compromise, how about an
> ugly chimera like the one in the attached example?

After a closer look, I am indeed hesitant about merging the original
patch, since it changes the interface of `erc-nickserv-identify' -- a
function as old as time, as far as ERC is concerned, and likely in use
by many -- especially since it deals with passwords.  Instead, I would
prefer one of the following approaches:

1. change the function's arguments in a backwards-compatible way
   (i.e. by adding new &optional args as needed), and ignore the
   arg we don't need anymore (the password in this case, and
   make sure we don't accidentally expose it instead of a nick);

2. gradually phase out the function if we must: either declare it
   obsolete and make it a wrapper around a new function with the
   desired API (I did this recently for one of Olivier's patches for
   erc-track) (this might very well involve option 1 as well), and
   remove the function at some later point after some major releases
   of Emacs; or

3. save the backward-incompatible interface change for a major ERC
   version bump.

We could do one or a mix of the above three options gradually, giving
users enough time and notice to adapt, and avoid putting them at risk.
For this case, option 1 seems straightforward to do, but so does 2.

From a quick look at J.P.'s revised version of Olivier's patch, it
looks quite favourable to me, in its preserving backward compatibility
in erc-nickserv-identify's interface and obsoleting (rather than
deleting) erc-nickserv-call-identify-function and making it a wrapper
around erc-nickserv-identify, and could probably be merged with few
minor tweaks.

J.P., Olivier, Lars, thoughts?

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Lars Ingebrigtsen]

Amin Bandali <bandali@gnu.org> writes:

> 2. gradually phase out the function if we must: either declare it
>    obsolete and make it a wrapper around a new function with the
>    desired API

This is usually the way to handle things like this, and it looks like
the right solution here, too.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Amin Bandali]

Hi all,

Lars Ingebrigtsen writes:

> Amin Bandali <bandali@gnu.org> writes:
>
>> 2. gradually phase out the function if we must: either declare it
>>    obsolete and make it a wrapper around a new function with the
>>    desired API
>
> This is usually the way to handle things like this, and it looks like
> the right solution here, too.

Thanks, sounds good.

                                 * * *

J.P. writes:

> Amin Bandali <bandali@gnu.org> writes:
>
>> 1. change the function's arguments in a backwards-compatible way
>>    (i.e. by adding new &optional args as needed), and ignore the
>>    arg we don't need anymore (the password in this case, and
>>    make sure we don't accidentally expose it instead of a nick);
>
> I guess ignoring the password arg means some folks currently using this
> entry point in lisp code may have to call `erc-nickserv-send-identify'
> directly instead, depending on their needs. Works for me, but if that's
> the plan, I don't think the version I sent fits the bill entirely.

Right.  I think your *not* ignoring the password here is actually more
familiar and desirable, and I prefer it over what I'd suggested. :)

>> From a quick look at J.P.'s revised version of Olivier's patch, it
>> looks quite favourable to me
>
> Um, that was mostly me trying out my bandali impersonation (blasphemous,
> I know).

Ha, you give me too much credit. :)

Okay so having tested and reviewed J.P.'s revised patch, it looks good
to me; so I went ahead and merged it with some minor tweaks, including
listing J.P. as co-author:

https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=c6eb114a42922af18818dce7317238e0af776958

Thank you all for your help and bearing with me until I finally got
around to this.

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Olivier Certner]

Hi all,

Sorry for not having much time to respond, and thanks for having handled the 
compatibility concern through proposals 1 & 2, which I agree with. In 
particular, it is best that PASSWORD remains the first parameter to `erc-
nickserv-identify', for compatibility but practical use also , since the nick 
is normally already set when this function is called (non-interactively).

The only thing I might have done differently is deleting `erc-nickserv-call-
identify-function' instead of obsoleting it since, contrary to `erc-nickserv-
identify', I don't think people would use it directly (the name sounds too 
much "internal"; I may be wrong on its actual use, though). But your approach 
is the most prudent one.

I'll try to hang around in #erc and respond to your mails a bit more quickly, 
at least for matters that do not take much time.

Thanks,
Olivier

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[Amin Bandali]

Hi Olivier,

Olivier Certner writes:

> Hi all,
>
> Sorry for not having much time to respond, and thanks for having handled the 
> compatibility concern through proposals 1 & 2, which I agree with. In 
> particular, it is best that PASSWORD remains the first parameter to `erc-
> nickserv-identify', for compatibility but practical use also , since the nick 
> is normally already set when this function is called (non-interactively).
>
> The only thing I might have done differently is deleting `erc-nickserv-call-
> identify-function' instead of obsoleting it since, contrary to `erc-nickserv-
> identify', I don't think people would use it directly (the name sounds too 
> much "internal"; I may be wrong on its actual use, though). But your approach 
> is the most prudent one.

No worries, and thanks.  Yeah we probably could have indeed deleted
`erc-nickserv-call-identify-function', but decided to play it safe(r)
and keep it for now. :)

> I'll try to hang around in #erc and respond to your mails a bit more quickly, 
> at least for matters that do not take much time.
>
> Thanks,
> Olivier

Thanks!

-amin

bug#46777: 28.0.50; ERC: NickServ identification: Prompt for password after other sources, overall simplifications

[J.P.]

Amin Bandali <bandali@gnu.org> writes:

> 1. change the function's arguments in a backwards-compatible way
>    (i.e. by adding new &optional args as needed), and ignore the
>    arg we don't need anymore (the password in this case, and
>    make sure we don't accidentally expose it instead of a nick);

I guess ignoring the password arg means some folks currently using this
entry point in lisp code may have to call `erc-nickserv-send-identify'
directly instead, depending on their needs. Works for me, but if that's
the plan, I don't think the version I sent fits the bill entirely.

> From a quick look at J.P.'s revised version of Olivier's patch, it
> looks quite favourable to me

Um, that was mostly me trying out my bandali impersonation (blasphemous,
I know).