When we send a message on behalf of a user who isn't using roost, we send it unauthenticated with the user's username as the zsender. We treat any unauthenticated zephyr that was sent from our IP as authenticated to avoid marking our own zephyrs as unauth'd, which has security implications. In addition, this causes problems if we are running two instances of the server from different IPs, as we can end up with duplicated messages in the database.
Ideally, we should embed some kind of MAC into the zephyrs that we send.
When we send a message on behalf of a user who isn't using roost, we send it unauthenticated with the user's username as the zsender. We treat any unauthenticated zephyr that was sent from our IP as authenticated to avoid marking our own zephyrs as unauth'd, which has security implications. In addition, this causes problems if we are running two instances of the server from different IPs, as we can end up with duplicated messages in the database.
Ideally, we should embed some kind of MAC into the zephyrs that we send.