xmpp.go

// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// TODO(rsc):
//	More precise error handling.
//	Presence functionality.
// TODO(mattn):
//  Add proxy authentication.

// Package xmpp implements a simple Google Talk client
// using the XMPP protocol described in RFC 3920 and RFC 3921.
package xmpp

import (
	"bufio"
	"bytes"
	"crypto/hmac"
	"crypto/md5" //nolint:gosec // go fuck yourself, gosec
	"crypto/rand"
	"crypto/sha1" //nolint:gosec // go fuck yourself, gosec
	"crypto/sha256"
	"crypto/sha512"
	"crypto/tls"
	"encoding/base64"
	"encoding/binary"
	"encoding/xml"
	"errors"
	"fmt"
	"hash"
	"io"
	"math/big"
	"net"
	"net/http"
	"net/url"
	"os"
	"regexp"
	"strconv"
	"strings"
	"time"

	"golang.org/x/crypto/pbkdf2"
	"golang.org/x/text/encoding/charmap"
)

const (
	nsStream  = "http://etherx.jabber.org/streams"
	nsTLS     = "urn:ietf:params:xml:ns:xmpp-tls"
	nsSASL    = "urn:ietf:params:xml:ns:xmpp-sasl"
	nsBind    = "urn:ietf:params:xml:ns:xmpp-bind"
	nsClient  = "jabber:client"
	nsSession = "urn:ietf:params:xml:ns:xmpp-session"
)

// DefaultConfig is default TLS configuration options.
var DefaultConfig = &tls.Config{} //nolint:gosec // go fuck yourself, gosec

// DebugWriter is the writer used to write debugging output to.
var DebugWriter io.Writer = os.Stderr
var StanzaWriter io.Writer

// Cookie is a unique XMPP session identifier.
type Cookie uint64

func getCookie() Cookie {
	var buf [8]byte
	if _, err := rand.Reader.Read(buf[:]); err != nil {
		panic("Failed to read random bytes: " + err.Error())
	}

	return Cookie(binary.LittleEndian.Uint64(buf[:]))
}

// Client holds XMPP connection options.
type Client struct {
	conn   net.Conn // connection to server
	jid    string   // Jabber ID for our connection
	domain string
	p      *xml.Decoder
}

func (c *Client) JID() string {
	return c.jid
}

func containsIgnoreCase(s, substr string) bool {
	s, substr = strings.ToUpper(s), strings.ToUpper(substr)

	return strings.Contains(s, substr)
}

func connect(host, user, passwd string, timeout time.Duration) (net.Conn, error) {
	addr := host

	if strings.TrimSpace(host) == "" {
		a := strings.SplitN(user, "@", 2)
		if len(a) == 2 {
			addr = a[1]
		}
	}

	a := strings.SplitN(host, ":", 2)

	if len(a) == 1 {
		addr += ":5222"
	}

	proxy := os.Getenv("HTTP_PROXY")
	if proxy == "" {
		proxy = os.Getenv("http_proxy")
	}
	// test for no proxy, takes a comma separated list with substrings to match
	if proxy != "" {
		noproxy := os.Getenv("NO_PROXY")

		if noproxy == "" {
			noproxy = os.Getenv("no_proxy")
		}

		if noproxy != "" {
			nplist := strings.Split(noproxy, ",")

			for _, s := range nplist {
				if containsIgnoreCase(addr, s) {
					proxy = ""

					break
				}
			}
		}
	}

	if proxy != "" {
		url, err := url.Parse(proxy)

		if err == nil {
			addr = url.Host
		}
	}

	conn, err := net.DialTimeout("tcp", addr, timeout)
	if err != nil {
		return nil, err
	}

	if proxy != "" {
		if _, err := fmt.Fprintf(conn, "CONNECT %s HTTP/1.1\r\n", host); err != nil {
			return nil, err
		}

		if _, err := fmt.Fprintf(conn, "Host: %s\r\n", host); err != nil {
			return nil, err
		}

		if _, err := fmt.Fprintf(conn, "\r\n"); err != nil {
			return nil, err
		}

		br := bufio.NewReader(conn)
		req, _ := http.NewRequest("CONNECT", host, nil) //nolint:noctx     // In this case we don't care about context
		resp, err := http.ReadResponse(br, req)         //nolint:bodyclose // The point is NOT to close proxied connection

		if err != nil {
			return nil, err
		}

		if resp.StatusCode != http.StatusOK {
			f := strings.SplitN(resp.Status, " ", 2)
			return nil, errors.New(f[1])
		}
	}

	return conn, nil
}

// Options are used to specify additional options for new clients, such as a Resource.
type Options struct {
	// Host specifies what host to connect to, as either "hostname" or "hostname:port"
	// If host is not specified, the DNS SRV should be used to find the host from the domainpart of the JID.
	// Default the port to 5222.
	Host string

	// User specifies what user to authenticate to the remote server.
	User string

	// Password supplies the password to use for authentication with the remote server.
	Password string

	// DialTimeout is the time limit for establishing a connection. A
	// DialTimeout of zero means no timeout.
	DialTimeout time.Duration

	// Resource specifies an XMPP client resource, like "bot", instead of accepting one
	// from the server.  Use "" to let the server generate one for your client.
	Resource string

	// OAuthScope provides go-xmpp the required scope for OAuth2 authentication.
	OAuthScope string

	// OAuthToken provides go-xmpp with the required OAuth2 token used to authenticate
	OAuthToken string

	// OAuthXmlNs provides go-xmpp with the required namespaced used for OAuth2 authentication.  This is
	// provided to the server as the xmlns:auth attribute of the OAuth2 authentication request.
	OAuthXmlNs string

	// TLS Config
	TLSConfig *tls.Config

	// InsecureAllowUnencryptedAuth permits authentication over a TCP connection that has not been promoted to
	// TLS by STARTTLS; this could leak authentication information over the network, or permit man in the middle
	// attacks.
	InsecureAllowUnencryptedAuth bool

	// NoTLS directs go-xmpp to not use TLS initially to contact the server; instead, a plain old unencrypted
	// TCP connection should be used. (Can be combined with StartTLS to support STARTTLS-based servers.)
	NoTLS bool

	// StartTLS directs go-xmpp to STARTTLS if the server supports it; go-xmpp will automatically STARTTLS
	// if the server requires it regardless of this option.
	StartTLS bool

	// Debug output
	Debug bool

	// Use server sessions
	Session bool

	// Presence Status
	Status string

	// Status message
	StatusMessage string
}

// NewClient establishes a new Client connection based on a set of Options.
func (o Options) NewClient() (*Client, error) {
	host := o.Host
	if strings.TrimSpace(host) == "" {
		a := strings.SplitN(o.User, "@", 2)
		if len(a) == 2 {
			if _, addrs, err := net.LookupSRV("xmpp-client", "tcp", a[1]); err == nil {
				if len(addrs) > 0 {
					// default to first record
					host = fmt.Sprintf("%s:%d", addrs[0].Target, addrs[0].Port)
					defP := addrs[0].Priority

					for _, adr := range addrs {
						if adr.Priority < defP {
							host = fmt.Sprintf("%s:%d", adr.Target, adr.Port)
							defP = adr.Priority
						}
					}
				} else {
					host = a[1]
				}
			} else {
				host = a[1]
			}
		}
	}

	c, err := connect(host, o.User, o.Password, o.DialTimeout)

	if err != nil {
		return nil, err
	}

	if strings.LastIndex(host, ":") > 0 {
		host = host[:strings.LastIndex(host, ":")]
	}

	client := new(Client)

	if o.NoTLS {
		client.conn = c
	} else {
		var tlsconn *tls.Conn
		if o.TLSConfig != nil {
			tlsconn = tls.Client(c, o.TLSConfig)
			host = o.TLSConfig.ServerName
		} else {
			newconfig := DefaultConfig.Clone()
			newconfig.ServerName = host
			tlsconn = tls.Client(c, newconfig)
		}
		if err = tlsconn.Handshake(); err != nil {
			return nil, err
		}
		insecureSkipVerify := DefaultConfig.InsecureSkipVerify
		if o.TLSConfig != nil {
			insecureSkipVerify = o.TLSConfig.InsecureSkipVerify
		}
		if !insecureSkipVerify {
			if err = tlsconn.VerifyHostname(host); err != nil {
				return nil, err
			}
		}
		client.conn = tlsconn
	}

	if err := client.init(&o); err != nil {
		return nil, err
	}

	return client, nil
}

// NewClient creates a new connection to a host given as "hostname" or "hostname:port".
// If host is not specified, the  DNS SRV should be used to find the host from the domainpart of the JID.
// Default the port to 5222.
func NewClient(host, user, passwd string, debug bool) (*Client, error) {
	opts := Options{
		Host:     host,
		User:     user,
		Password: passwd,
		Debug:    debug,
		Session:  false,
	}

	return opts.NewClient()
}

// NewClientNoTLS creates a new client without TLS.
func NewClientNoTLS(host, user, passwd string, debug bool) (*Client, error) {
	opts := Options{
		Host:     host,
		User:     user,
		Password: passwd,
		NoTLS:    true,
		Debug:    debug,
		Session:  false,
	}

	return opts.NewClient()
}

// Close closes the XMPP connection.
func (c *Client) Close() error {
	if c.conn != (*tls.Conn)(nil) {
		return c.conn.Close()
	}

	return nil
}

func saslDigestResponse(username, realm, passwd, nonce, cnonceStr, authenticate, digestURI, nonceCountStr string) string {
	h := func(text string) []byte {
		h := md5.New() //nolint:gosec // go fuck yourself, gosec
		h.Write([]byte(text))

		return h.Sum(nil)
	}
	hex := func(bytes []byte) string {
		return fmt.Sprintf("%x", bytes)
	}
	kd := func(secret, data string) []byte {
		return h(secret + ":" + data)
	}

	a1 := string(h(username+":"+realm+":"+passwd)) + ":" + nonce + ":" + cnonceStr
	a2 := authenticate + ":" + digestURI
	response := hex(kd(hex(h(a1)), nonce+":"+nonceCountStr+":"+cnonceStr+":auth:"+hex(h(a2))))

	return response
}

func cnonce() string {
	randSize := big.NewInt(0)
	randSize.Lsh(big.NewInt(1), 64)
	cn, err := rand.Int(rand.Reader, randSize)

	if err != nil {
		return ""
	}

	return fmt.Sprintf("%016x", cn)
}

func (c *Client) init(o *Options) error {
	var (
		domain string
		user   string
	)

	a := strings.SplitN(o.User, "@", 2)

	// Check if User is not empty. Otherwise, we'll be attempting ANONYMOUS with Host domain.
	switch {
	case len(o.User) > 0:
		if len(a) != 2 {
			return errors.New("xmpp: invalid username (want user@domain): " + o.User)
		}

		user = a[0]
		domain = a[1]
	case strings.Contains(o.Host, ":"):
		domain = strings.SplitN(o.Host, ":", 2)[0]
	default:
		domain = o.Host
	}

	// Declare intent to be a jabber client and gather stream features.
	f, err := c.startStream(o, domain)
	if err != nil {
		return err
	}

	// If the server requires we STARTTLS, attempt to do so.
	if f, err = c.startTLSIfRequired(f, o, domain); err != nil {
		return err
	}

	var (
		mechanism       string
		serverSignature []byte
	)

	if o.User == "" && o.Password == "" {
		foundAnonymous := false

		for _, m := range f.Mechanisms.Mechanism {
			if m == "ANONYMOUS" {
				_, err := fmt.Fprintf(StanzaWriter, "<auth xmlns='%s' mechanism='ANONYMOUS' />\n", nsSASL)
				if err != nil {
					return err
				}

				foundAnonymous = true

				break
			}
		}

		if !foundAnonymous {
			return fmt.Errorf("server does not allow ANONYMOUS authentication and username and password were not specified")
		}
	} else {
		// Even digest forms of authentication are unsafe if we do not know that the host
		// we are talking to is the actual server, and not a man in the middle playing
		// proxy.
		if !c.IsEncrypted() && !o.InsecureAllowUnencryptedAuth {
			return errors.New("refusing to authenticate over unencrypted TCP connection")
		}

		mechanism = ""
		for _, m := range f.Mechanisms.Mechanism {
			switch m {
			case "SCRAM-SHA-512":
				mechanism = m
			case "SCRAM-SHA-256":
				if mechanism != "SCRAM-SHA-512" {
					mechanism = m
				}
			case "SCRAM-SHA-1":
				if mechanism != "SCRAM-SHA-512" &&
					mechanism != "SCRAM-SHA-256" {
					mechanism = m
				}
			case "X-OAUTH2":
				if mechanism == "" {
					mechanism = m
				}
			case "PLAIN":
				if mechanism == "" {
					mechanism = m
				}
			case "DIGEST-MD5":
				if mechanism == "" {
					mechanism = m
				}
			}
		}
		if strings.HasPrefix(mechanism, "SCRAM-SHA") {
			// So here we are. XMPP folks "moved to historical" digest-md5 method
			// https://datatracker.ietf.org/doc/html/rfc6331
			// Looks like beacause of security shiteaters squealing about md5 "insecurity". And instead of peeing
			// against winds, xmpp.org decide to deprecate digest mechanics and use scram, it is here anyway, so why
			// not? Wise decision, kind of. But sooner or later "pseudo-security fanboys" will begin their raid against
			// this already-not-so-new scram-thing. In-fact, they already abuse sha1,
			// https://datatracker.ietf.org/doc/html/rfc6194
			// Authentication can be considered relatively secure even via plain mechanism only via properly encrypted
			// communication, leave this security thing to ssl. Do not try to invent secure auth via unencryped
			// communication channels, it is labour of Sisyphus. Anyway, enough of rant.
			var shaNewFn func() hash.Hash

			// SCRAM-SHA256 vaguely described in https://datatracker.ietf.org/doc/html/rfc7677 which is main document
			// for SCRAM-SHA* implementation. So we have to use more detailed description on
			// https://wiki.xmpp.org/web/SASL_Authentication_and_SCRAM as reference.
			switch mechanism {
			case "SCRAM-SHA-512":
				shaNewFn = sha512.New
			case "SCRAM-SHA-256":
				shaNewFn = sha256.New
			case "SCRAM-SHA-1":
				shaNewFn = sha1.New
			default:
				return errors.New("unsupported auth mechanism")
			}

			// 1. Normalization of utf-8 strings, namely - password, to avoid any variations that utf-8 allows.
			// Normalization requirements described there, in common terms https://datatracker.ietf.org/doc/html/rfc4013
			// We miss it here because this task is tedious/difficult to perform completely. So we absolutely trust in
			// copy-paste :)

			// 2. Pick a random string
			clientNonce := cnonce()

			// 3. Prepare initial message.
			initialMessage := fmt.Sprintf("n=%s,r=%s", user, clientNonce)

			// 4. The client prepends the GS2 header ("n,,"). Base64 it and send to server.
			initialMessageGS2 := []byte("n,," + initialMessage)
			b64Buffer := base64.StdEncoding.EncodeToString(initialMessageGS2)

			_, err := fmt.Fprintf(
				StanzaWriter,
				"<auth xmlns='%s' mechanism='%s'>%s</auth>",
				nsSASL,
				mechanism,
				b64Buffer,
			)

			if err != nil {
				return err
			}

			// 5. The server responds with a challenge. The data of the challenge is base64 encoded.
			var sfm string

			if err = c.p.DecodeElement(&sfm, nil); err != nil {
				return errors.New("unmarshal <challenge>: " + err.Error())
			}

			// 6. The client base64 decodes it.
			b, err := base64.StdEncoding.DecodeString(sfm)
			if err != nil {
				return err
			}

			// 7. The client parses it decoded string.
			//    Here we have
			//    r as serverNonce
			//    s as salt
			//    i as iterations
			var (
				serverNonce string
				salt        []byte
				iterations  int
			)

			for _, serverReply := range strings.Split(string(b), ",") {
				switch {
				case strings.HasPrefix(serverReply, "r="):
					serverNonce = strings.SplitN(serverReply, "=", 2)[1]
					if !strings.HasPrefix(serverNonce, clientNonce) {
						return errors.New("SCRAM: server nonce didn't start with client nonce")
					}
				case strings.HasPrefix(serverReply, "s="):
					salt, err = base64.StdEncoding.DecodeString(strings.SplitN(serverReply, "=", 2)[1])

					if err != nil {
						return err
					}

					if string(salt) == "" {
						return errors.New("SCRAM: server sent empty salt")
					}
				case strings.HasPrefix(serverReply, "i="):
					iterations, err = strconv.Atoi(strings.SplitN(serverReply,
						"=", 2)[1])
					if err != nil {
						return err
					}
				default:
					return errors.New("unexpected conted in SCRAM challenge")
				}
			}

			// 8. The client computes parameters for its final message
			var (
				clientFinalMessageBare = fmt.Sprintf("c=biws,r=%s", serverNonce)
				saltedPassword         = pbkdf2.Key([]byte(o.Password), salt, iterations, shaNewFn().Size(), shaNewFn)
				h                      = hmac.New(shaNewFn, saltedPassword)
			)

			if _, err = h.Write([]byte("Client Key")); err != nil {
				return err
			}

			clientKey := h.Sum(nil)
			h.Reset()
			var storedKey []byte

			switch mechanism {
			case "SCRAM-SHA-512":
				storedKey512 := sha512.Sum512(clientKey)
				storedKey = storedKey512[:]
			case "SCRAM-SHA-256":
				storedKey256 := sha256.Sum256(clientKey)
				storedKey = storedKey256[:]
			case "SCRAM-SHA-1":
				storedKey1 := sha1.Sum(clientKey) //nolint:gosec // fuck yourself, gosec
				storedKey = storedKey1[:]
			}

			if _, err = h.Write([]byte("Server Key")); err != nil {
				return err
			}

			serverFirstMessage, err := base64.StdEncoding.DecodeString(sfm)
			if err != nil {
				return err
			}

			authMessage := fmt.Sprintf(
				"%s,%s,%s",
				initialMessage,
				string(serverFirstMessage),
				clientFinalMessageBare,
			)

			h = hmac.New(shaNewFn, storedKey)

			if _, err = h.Write([]byte(authMessage)); err != nil {
				return err
			}

			clientSignature := h.Sum(nil)
			h.Reset()

			if len(clientKey) != len(clientSignature) {
				return errors.New("SCRAM: client key and signature length mismatch")
			}

			clientProof := make([]byte, len(clientKey))

			for i := range clientKey {
				clientProof[i] = clientKey[i] ^ clientSignature[i]
			}

			h = hmac.New(shaNewFn, saltedPassword)

			if _, err = h.Write([]byte("Server Key")); err != nil {
				return err
			}

			serverKey := h.Sum(nil)
			h.Reset()
			h = hmac.New(shaNewFn, serverKey)

			if _, err = h.Write([]byte(authMessage)); err != nil {
				return err
			}

			serverSignature = h.Sum(nil)

			if string(serverSignature) == "" {
				return errors.New("SCRAM: calculated an empty server signature")
			}

			clientFinalMessage := base64.StdEncoding.EncodeToString(
				[]byte(
					clientFinalMessageBare + ",p=" + base64.StdEncoding.EncodeToString(clientProof),
				),
			)

			_, err = fmt.Fprintf(
				StanzaWriter,
				"<response xmlns='%s'>%s</response>",
				nsSASL,
				clientFinalMessage,
			)

			if err != nil {
				return err
			}
		}

		if mechanism == "X-OAUTH2" && o.OAuthToken != "" && o.OAuthScope != "" {
			// Oauth authentication is very similar to PLAIN: we send base64-encoded \x00 user \x00 token.
			raw := "\x00" + user + "\x00" + o.OAuthToken
			enc := make([]byte, base64.StdEncoding.EncodedLen(len(raw)))
			base64.StdEncoding.Encode(enc, []byte(raw))
			_, err := fmt.Fprintf(StanzaWriter, "<auth xmlns='%s' mechanism='X-OAUTH2' auth:service='oauth2' "+
				"xmlns:auth='%s'>%s</auth>\n", nsSASL, o.OAuthXmlNs, enc)
			if err != nil {
				return err
			}
		}

		if mechanism == "PLAIN" {
			// Plain authentication: according to rfc4616, it is sufficient to send base64-encoded
			// \x00 user \x00 password.
			var (
				raw []byte
				enc []byte
			)

			raw = append(raw, []byte("\x00")...)
			raw = append(raw, []byte(user)...)
			raw = append(raw, []byte("\x00")...)
			raw = append(raw, []byte(o.Password)...)

			base64.StdEncoding.Encode(enc, raw)

			_, err := fmt.Fprintf(c.conn, "<auth xmlns='%s' mechanism='PLAIN'>%s</auth>\n", nsSASL, enc)

			if err != nil {
				return err
			}
		}

		if mechanism == "DIGEST-MD5" {
			// Digest-MD5 authentication
			// Step one, https://datatracker.ietf.org/doc/html/rfc2831#section-2.1.1
			_, err := fmt.Fprintf(StanzaWriter, "<auth xmlns='%s' mechanism='DIGEST-MD5'/>\n", nsSASL)

			if err != nil {
				return err
			}

			var ch saslChallenge

			if err = c.p.DecodeElement(&ch, nil); err != nil {
				return errors.New("unmarshal <challenge>: " + err.Error())
			}

			b, err := base64.StdEncoding.DecodeString(string(ch))

			if err != nil {
				return err
			}

			tokens := map[string]string{}

			for _, token := range strings.Split(string(b), ",") {
				kv := strings.SplitN(strings.TrimSpace(token), "=", 2)
				if len(kv) == 2 {
					if kv[1][0] == '"' && kv[1][len(kv[1])-1] == '"' {
						kv[1] = kv[1][1 : len(kv[1])-1]
					}
					tokens[kv[0]] = kv[1]
				}
			}

			// Step two, https://datatracker.ietf.org/doc/html/rfc2831#section-2.1.2
			var (
				realm      = tokens["realm"]
				nonce      = tokens["nonce"]
				qop        = tokens["qop"]
				charset    = tokens["charset"]
				cnonceStr  = cnonce()
				digestURI  = "xmpp/" + domain
				nonceCount = fmt.Sprintf("%08x", 1)
			)

			// 2.1.2 part of rfc2831 says about charset:
			//  This directive, if present, specifies that the client has use UTF-8 encoding for the username
			//  and password. If not present, the username and password must be encoded in ISO 8859-1 (of which
			//  US-ASCII is a subset). The client should send this directive only if the server has indicated it
			//  supports UTF-8.
			// So we have to somehow detect that server can do utf-8. Simplest way to check charset that we get in Step
			// one.
			var (
				digest  string
				message []byte
			)

			if match, _ := regexp.MatchString("(UTF-8|UTF8|utf-8|utf8)", charset); match {
				digest = saslDigestResponse(user, realm, o.Password, nonce, cnonceStr, "AUTHENTICATE",
					digestURI, nonceCount)
			} else {
				encoder := charmap.ISO8859_1.NewEncoder()
				password, err := encoder.Bytes([]byte(o.Password))

				if err != nil {
					return err
				}

				digest = saslDigestResponse(user, realm, string(password), nonce, cnonceStr, "AUTHENTICATE",
					digestURI, nonceCount)
			}

			if match, _ := regexp.MatchString("(UTF-8|UTF8|utf-8|utf8)", charset); match {
				message = append(message, []byte(`username="`)...)
				message = append(message, []byte(user)...)
				message = append(message, []byte(`", "`)...)
			} else {
				encoder := charmap.ISO8859_1.NewEncoder()
				userISO, err := encoder.Bytes([]byte(user))

				if err != nil {
					return err
				}

				message = append(message, []byte(`username="`)...)
				message = append(message, userISO...)
				message = append(message, []byte(`", "`)...)
			}

			message = append(message, []byte(fmt.Sprintf(`realm="%s", `, realm))...)
			message = append(message, []byte(fmt.Sprintf(`nonce="%s", `, nonce))...)
			message = append(message, []byte(fmt.Sprintf(`cnonce="%s", `, cnonceStr))...)
			message = append(message, []byte(fmt.Sprintf(`nc="%s", `, nonceCount))...)
			message = append(message, []byte(fmt.Sprintf(`qop="%s", `, qop))...)
			message = append(message, []byte(fmt.Sprintf(`digest-uri="%s", `, digestURI))...)
			message = append(message, []byte(fmt.Sprintf(`response="%s", `, digest))...)

			if match, _ := regexp.MatchString("^(UTF-8|UTF8|utf-8|utf8)$", charset); match {
				message = append(message, []byte(`username="`)...)
				message = append(message, []byte(charset)...)
				message = append(message, []byte(`", "`)...)
			}

			_, err = fmt.Fprintf(
				StanzaWriter,
				"<response xmlns='%s'>%s</response>\n",
				nsSASL,
				base64.StdEncoding.EncodeToString(message),
			)

			if err != nil {
				return err
			}

			// Step three, server checks if we supplied correct response
			var rspauth saslRspAuth

			// TODO: more accurate decode responses, taking into account tag names.
			// In this case success is something like
			// <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA==</challenge>
			// while fail is something like this:
			// <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
			if err = c.p.DecodeElement(&rspauth, nil); err != nil {
				return errors.New("unmarshal <challenge>: " + err.Error())
			}

			b, err = base64.StdEncoding.DecodeString(string(rspauth))
			if err != nil {
				return err
			}

			// Empty b we should understand it as auth error.
			if len(b) == 0 {
				return errors.New("auth failure: server answer with empty response, looks like incorrect login or password")
			}

			// Step four, answer with empty response
			_, err = fmt.Fprintf(StanzaWriter, "<response xmlns='%s'/>\n", nsSASL)

			if err != nil {
				return err
			}
		}
	}

	if mechanism == "" {
		return fmt.Errorf("PLAIN authentication is not an option: %v", f.Mechanisms.Mechanism)
	}

	// Next message should be either success or failure.
	name, val, err := next(c.p)
	if err != nil {
		return err
	}

	switch v := val.(type) {
	case *saslSuccess:
		if strings.HasPrefix(mechanism, "SCRAM-SHA") {
			successMsg, err := base64.StdEncoding.DecodeString(v.Text)
			if err != nil {
				return err
			}

			if !strings.HasPrefix(string(successMsg), "v=") {
				return errors.New("server sent unexpected content in SCRAM success message")
			}

			serverSignatureReply := strings.SplitN(string(successMsg), "v=", 2)[1]
			serverSignatureRemote, err := base64.StdEncoding.DecodeString(serverSignatureReply)

			if err != nil {
				return err
			}

			if string(serverSignature) != string(serverSignatureRemote) {
				return errors.New("SCRAM: server signature mismatch")
			}
		}
	case *saslFailure:
		errorMessage := v.Text
		if errorMessage == "" {
			// v.Any is type of sub-element in failure,
			// which gives a description of what failed if there was no text element
			errorMessage = v.Any.Local
		}

		return errors.New("auth failure: " + errorMessage)
	default:
		return errors.New("expected <success> or <failure>, got <" + name.Local + "> in " + name.Space)
	}

	// Now that we're authenticated, we're supposed to start the stream over again.
	// Declare intent to be a jabber client.
	// TODO: check if we can squeeze something useful of f (aka server features)
	if f, err = c.startStream(o, domain); err != nil {
		return err
	}

	// Generate a unique cookie
	cookie := getCookie()

	// Send IQ message asking to bind to the local user name.
	if o.Resource == "" {
		_, err = fmt.Fprintf(StanzaWriter, "<iq type='set' id='%x'><bind xmlns='%s'></bind></iq>\n", cookie, nsBind)
		if err != nil {
			return err
		}
	} else {
		_, err = fmt.Fprintf(StanzaWriter, "<iq type='set' id='%x'><bind xmlns='%s'><resource>%s</resource></bind></iq>\n", cookie, nsBind, o.Resource)
		if err != nil {
			return err
		}
	}

	var iq clientIQ

	if err = c.p.DecodeElement(&iq, nil); err != nil {
		return errors.New("unmarshal <iq>: " + err.Error())
	}

	if (iq.Bind == bindBind{}) {
		return errors.New("<iq> result missing <bind>")
	}

	c.jid = iq.Bind.Jid // our local id
	c.domain = domain

	if o.Session {
		// if server support session, open it
		_, err = fmt.Fprintf(StanzaWriter, "<iq to='%s' type='set' id='%x'><session xmlns='%s'/></iq>", xmlEscape(domain), cookie, nsSession)
		if err != nil {
			return err
		}
	}

	// We're connected and can now receive and send messages.
	_, err = fmt.Fprintf(StanzaWriter, "<presence xml:lang='en'><show>%s</show><status>%s</status></presence>", o.Status, o.StatusMessage)
	if err != nil {
		return err
	}

	return nil
}

// startTlsIfRequired examines the server's stream features and, if STARTTLS is required or supported, performs the TLS handshake.
// f will be updated if the handshake completes, as the new stream's features are typically different from the original.
func (c *Client) startTLSIfRequired(f *streamFeatures, o *Options, domain string) (*streamFeatures, error) {
	// whether we start tls is a matter of opinion: the server's and the user's.
	switch {
	case f.StartTLS == nil:
		// the server does not support STARTTLS
		return f, nil
	case !o.StartTLS && f.StartTLS.Required == nil:
		return f, nil
	case f.StartTLS.Required != nil:
		// the server requires STARTTLS.
	case !o.StartTLS:
		// the user wants STARTTLS and the server supports it.
	} //nolint:wsl

	var err error

	_, err = fmt.Fprintf(StanzaWriter, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\n")
	if err != nil {
		return f, err
	}

	var k tlsProceed

	if err = c.p.DecodeElement(&k, nil); err != nil {
		return f, errors.New("unmarshal <proceed>: " + err.Error())
	}

	tc := o.TLSConfig
	if tc == nil {
		tc = DefaultConfig.Clone()
		// TODO(scott): we should consider using the server's address or reverse lookup
		tc.ServerName = domain
	}

	t := tls.Client(c.conn, tc)

	if err = t.Handshake(); err != nil {
		return f, errors.New("starttls handshake: " + err.Error())
	}

	c.conn = t

	// restart our declaration of XMPP stream intentions.
	tf, err := c.startStream(o, domain)
	if err != nil {
		return f, err
	}

	return tf, nil
}

// startStream will start a new XML decoder for the connection, signal the start of a stream to the server and verify that the server has
// also started the stream; if o.Debug is true, startStream will tee decoded XML data to stderr.  The features advertised by the server
// will be returned.
func (c *Client) startStream(o *Options, domain string) (*streamFeatures, error) {
	if o.Debug {
		c.p = xml.NewDecoder(tee{c.conn, DebugWriter})
		StanzaWriter = io.MultiWriter(c.conn, DebugWriter)
	} else {
		c.p = xml.NewDecoder(c.conn)
		StanzaWriter = c.conn
	}

	_, err := fmt.Fprintf(StanzaWriter, "<?xml version='1.0'?>"+
		"<stream:stream to='%s' xmlns='%s'"+
		" xmlns:stream='%s' version='1.0'>",
		xmlEscape(domain), nsClient, nsStream)
	if err != nil {
		return nil, err
	}

	// We expect the server to start a <stream>.
	se, err := nextStart(c.p)
	if err != nil {
		return nil, err
	}

	if se.Name.Space != nsStream || se.Name.Local != "stream" {
		return nil, fmt.Errorf("expected <stream> but got <%v> in %v", se.Name.Local, se.Name.Space)
	}

	// Now we're in the stream and can use Unmarshal.
	// Next message should be <features> to tell us authentication options.
	// See section 4.6 in RFC 3920.
	f := new(streamFeatures)
	if err = c.p.DecodeElement(f, nil); err != nil {
		return f, errors.New("unmarshal <features>: " + err.Error())
	}

	return f, nil
}

// IsEncrypted will return true if the client is connected using a TLS transport, either because it used.
// TLS to connect from the outset, or because it successfully used STARTTLS to promote a TCP connection to TLS.
func (c *Client) IsEncrypted() bool {
	_, ok := c.conn.(*tls.Conn)

	return ok
}

// Chat is an incoming or outgoing XMPP chat message.
type Chat struct {
	Remote    string
	Type      string
	Text      string
	Subject   string
	Thread    string
	Ooburl    string
	Oobdesc   string
	Roster    Roster
	Other     []string
	OtherElem []XMLElement
	Stamp     time.Time
}

type Roster []Contact

type Contact struct {
	Remote string
	Name   string
	Group  []string
}

// Presence is an XMPP presence notification.
type Presence struct {
	From        string
	To          string
	Type        string
	Show        string
	Status      string
	Priority    string
	ID          string
	Affiliation string
	Role        string
	JID         string
}

type IQ struct {
	ID    string
	From  string
	To    string
	Type  string
	Query []byte
}

// Recv waits to receive the next XMPP stanza.
// Return type is either a presence notification or a chat message.
func (c *Client) Recv() (stanza interface{}, err error) {
	for {
		_, val, err := next(c.p)
		if err != nil {
			return Chat{}, err
		}

		switch v := val.(type) {
		case *clientMessage:
			if v.Event.XMLNS == XMPPNS_PUBSUB_EVENT {
				// Handle Pubsub notifications
				switch v.Event.Items.Node {
				case XMPPNS_AVATAR_PEP_METADATA:
					if len(v.Event.Items.Items) == 0 {
						return AvatarMetadata{}, errors.New("No avatar metadata items available")
					}

					return handleAvatarMetadata(v.Event.Items.Items[0].Body,
						v.From)
				// I am not sure whether this can even happen.
				// XEP-0084 only specifies a subscription to
				// the metadata node.
				/*case XMPPNS_AVATAR_PEP_DATA:
				return handleAvatarData(v.Event.Items.Items[0].Body,
					v.From,
					v.Event.Items.Items[0].ID)*/
				default:
					return pubsubClientToReturn(v.Event), nil
				}
			}

			stamp, _ := time.Parse(
				"2006-01-02T15:04:05Z",
				v.Delay.Stamp,
			)

			chat := Chat{
				Remote:    v.From,
				Type:      v.Type,
				Text:      v.Body,
				Subject:   v.Subject,
				Thread:    v.Thread,
				Other:     v.OtherStrings(),
				OtherElem: v.Other,
				Stamp:     stamp,
			}

			return chat, nil
		case *clientQuery:
			var r Roster
			for _, item := range v.Item {
				r = append(r, Contact{item.Jid, item.Name, item.Group})
			}

			return Chat{Type: "roster", Roster: r}, nil
		case *clientPresence:
			return Presence{
				v.From,
				v.To,
				v.Type,
				v.Show,
				v.Status,
				v.Priority,
				v.ID,
				v.X.Item.Affiliation,
				v.X.Item.Role,
				v.X.Item.Jid,
			}, nil
		case *clientIQ:
			switch {
			case v.Query.XMLName.Space == "urn:xmpp:ping":
				// TODO check more strictly
				err := c.SendResultPing(v.ID, v.From)
				if err != nil {
					return Chat{}, err
				}

				fallthrough
			case v.Type == "error":
				switch v.ID {
				case "sub1":
					// Pubsub subscription failed
					var errs []clientPubsubError
					err := xml.Unmarshal(v.Error.InnerXML, &errs)

					if err != nil {
						return PubsubSubscription{}, err
					}

					var errsStr []string
					for _, e := range errs {
						errsStr = append(errsStr, e.XMLName.Local)
					}

					return PubsubSubscription{
						Errors: errsStr,
					}, nil
				default:
					res, err := xml.Marshal(v.Query)
					if err != nil {
						return Chat{}, err
					}

					return IQ{ID: v.ID, From: v.From, To: v.To, Type: v.Type,
						Query: res}, nil
				}
			case v.Type == "result":
				switch v.ID {
				case "sub1":
					if v.Query.XMLName.Local == "pubsub" {
						// Subscription or unsubscription was successful
						var sub clientPubsubSubscription

						if err := xml.Unmarshal([]byte(v.Query.InnerXML), &sub); err != nil {
							return PubsubSubscription{}, err
						}

						return PubsubSubscription{
							SubID:  sub.SubID,
							JID:    sub.JID,
							Node:   sub.Node,
							Errors: nil,
						}, nil
					}
				case "unsub1":
					if v.Query.XMLName.Local == "pubsub" {
						var sub clientPubsubSubscription

						if err := xml.Unmarshal([]byte(v.Query.InnerXML), &sub); err != nil {
							return PubsubUnsubscription{}, err
						}

						return PubsubUnsubscription{
							SubID:  sub.SubID,
							JID:    v.From,
							Node:   sub.Node,
							Errors: nil,
						}, nil
					}

					// Unsubscribing MAY contain a pubsub element. But it does
					// not have to
					return PubsubUnsubscription{
						SubID:  "",
						JID:    v.From,
						Node:   "",
						Errors: nil,
					}, nil

				case "info1":
					if v.Query.XMLName.Space == XMPPNS_DISCO_ITEMS {
						var itemsQuery clientDiscoItemsQuery

						if err := xml.Unmarshal(v.InnerXML, &itemsQuery); err != nil {
							return []DiscoItem{}, err
						}

						return DiscoItems{
							Jid:   v.From,
							Items: clientDiscoItemsToReturn(itemsQuery.Items),
						}, nil
					}

				case "info3":
					if v.Query.XMLName.Space == XMPPNS_DISCO_INFO {
						var disco clientDiscoQuery

						if err := xml.Unmarshal(v.InnerXML, &disco); err != nil {
							return DiscoResult{}, err
						}

						return DiscoResult{
							ID:         v.ID,
							From:       v.From,
							To:         v.To,
							Features:   clientFeaturesToReturn(disco.Features),
							Identities: clientIdentitiesToReturn(disco.Identities),
						}, nil
					}

				case "items1", "items3":
					if v.Query.XMLName.Local == "pubsub" {
						var p clientPubsubItems

						if err := xml.Unmarshal([]byte(v.Query.InnerXML), &p); err != nil {
							return PubsubItems{}, err
						}

						switch p.Node {
						case XMPPNS_AVATAR_PEP_DATA:
							if len(p.Items) == 0 {
								return AvatarData{}, errors.New("No avatar data items available")
							}

							return handleAvatarData(p.Items[0].Body,
								v.From,
								p.Items[0].ID)
						case XMPPNS_AVATAR_PEP_METADATA:
							if len(p.Items) == 0 {
								return AvatarMetadata{}, errors.New("No avatar metadata items available")
							}

							return handleAvatarMetadata(p.Items[0].Body,
								v.From)
						default:
							return PubsubItems{
								p.Node,
								pubsubItemsToReturn(p.Items),
							}, nil
						}
					}
					// Note: XEP-0084 states that metadata and data
					// should be fetched with an id of retrieve1.
					// Since we already have PubSub implemented, we
					// can just use items1 and items3 to do the same
					// as an Avatar node is just a PEP (PubSub) node.
					/*case "retrieve1":
					var p clientPubsubItems
					err := xml.Unmarshal([]byte(v.Query.InnerXML), &p)
					if err != nil {
						return PubsubItems{}, err
					}

					switch p.Node {
					case XMPPNS_AVATAR_PEP_DATA:
						return handleAvatarData(p.Items[0].Body,
							v.From,
							p.Items[0].ID)
					case XMPPNS_AVATAR_PEP_METADATA:
						return handleAvatarMetadata(p.Items[0].Body,
							v
					}*/

				default:
					res, err := xml.Marshal(v.Query)

					if err != nil {
						return Chat{}, err
					}

					return IQ{ID: v.ID, From: v.From, To: v.To, Type: v.Type,
						Query: res}, nil
				}

			case v.Query.XMLName.Local == "":
				return IQ{ID: v.ID, From: v.From, To: v.To, Type: v.Type}, nil

			default:
				res, err := xml.Marshal(v.Query)
				if err != nil {
					return Chat{}, err
				}

				return IQ{ID: v.ID, From: v.From, To: v.To, Type: v.Type,
					Query: res}, nil
			}
		}
	}
}

// Send sends the message wrapped inside an XMPP message stanza body. Returns amount bytes sent and error (if any).
func (c *Client) Send(chat Chat) (int, error) {
	var subtext, thdtext, oobtext string

	if chat.Subject != `` {
		subtext = `<subject>` + xmlEscape(chat.Subject) + `</subject>`
	}

	if chat.Thread != `` {
		thdtext = `<thread>` + xmlEscape(chat.Thread) + `</thread>`
	}

	if chat.Ooburl != `` {
		oobtext = `<x xmlns="jabber:x:oob"><url>` + xmlEscape(chat.Ooburl) + `</url>`

		if chat.Oobdesc != `` {
			oobtext += `<desc>` + xmlEscape(chat.Oobdesc) + `</desc>`
		}

		oobtext += `</x>`
	}

	stanza := "<message to='%s' type='%s' id='%s' xml:lang='en'>" + subtext + "<body>%s</body>" + oobtext + thdtext + "</message>"

	n, err := fmt.Fprintf(StanzaWriter, stanza,
		xmlEscape(chat.Remote), xmlEscape(chat.Type), cnonce(), xmlEscape(chat.Text))

	return n, err
}

// SendOOB sends OOB data wrapped inside an XMPP message stanza, without actual body.
// Returns amount bytes sent and error (if any).
func (c *Client) SendOOB(chat Chat) (int, error) {
	var thdtext, oobtext string

	if chat.Thread != `` {
		thdtext = `<thread>` + xmlEscape(chat.Thread) + `</thread>`
	}

	if chat.Ooburl != `` {
		oobtext = `<x xmlns="jabber:x:oob"><url>` + xmlEscape(chat.Ooburl) + `</url>`

		if chat.Oobdesc != `` {
			oobtext += `<desc>` + xmlEscape(chat.Oobdesc) + `</desc>`
		}

		oobtext += `</x>`
	}

	n, err := fmt.Fprintf(StanzaWriter, "<message to='%s' type='%s' id='%s' xml:lang='en'>"+oobtext+thdtext+"</message>",
		xmlEscape(chat.Remote), xmlEscape(chat.Type), cnonce())

	return n, err
}

// SendOrg sends the original text without being wrapped in an XMPP message stanza.
// Returns amount bytes sent and error (if any).
func (c *Client) SendOrg(org string) (int, error) {
	n, err := fmt.Fprint(StanzaWriter, org)

	return n, err
}

// SendPresence sends Presence wrapped inside XMPP presence stanza.
func (c *Client) SendPresence(presence Presence) (int, error) {
	// Forge opening presence tag
	buf := "<presence"

	if presence.From != "" {
		buf += fmt.Sprintf(" from='%s'", xmlEscape(presence.From))
	}

	if presence.To != "" {
		buf += fmt.Sprintf(" to='%s'", xmlEscape(presence.To))
	}

	if presence.Type != "" {
		// https://www.ietf.org/rfc/rfc3921.txt, 2.2.1, types can only be
		// unavailable, subscribe, subscribed, unsubscribe, unsubscribed, probe, error
		switch presence.Type {
		case "unavailable", "subscribe", "subscribed", "unsubscribe", "unsubscribed", "probe", "error":
			buf += fmt.Sprintf(" type='%s'", xmlEscape(presence.Type))
		}
	}

	buf += ">"

	// TODO: there may be optional tag "priority", but former presence type does not take this into account
	//       so either we must follow std, change type xmpp.Presence and break backward compatibility
	//       or leave it as-is and potentially break client software

	if presence.Show != "" {
		// https://www.ietf.org/rfc/rfc3921.txt 2.2.2.1, show can be only
		// away, chat, dnd, xa
		switch presence.Show {
		case "away", "chat", "dnd", "xa":
			buf += fmt.Sprintf("<show>%s</show>", xmlEscape(presence.Show))
		}
	}

	if presence.Status != "" {
		buf += fmt.Sprintf("<status>%s</status>", xmlEscape(presence.Status))
	}

	buf += "</presence>"

	n, err := fmt.Fprint(StanzaWriter, buf)

	return n, err
}

// SendKeepAlive sends a "whitespace keepalive" as described in chapter 4.6.1 of RFC6120.
// Returns amount bytes sent and error (if any).
func (c *Client) SendKeepAlive() (int, error) {
	n, err := fmt.Fprintf(c.conn, " ")

	return n, err
}

// SendHtml sends the message as HTML as defined by XEP-0071.
// Returns amount bytes sent and error (if any).
func (c *Client) SendHtml(chat Chat) (int, error) {
	n, err := fmt.Fprintf(StanzaWriter, "<message to='%s' type='%s' xml:lang='en'>"+
		"<body>%s</body>"+
		"<html xmlns='http://jabber.org/protocol/xhtml-im'><body xmlns='http://www.w3.org/1999/xhtml'>%s</body></html></message>",
		xmlEscape(chat.Remote), xmlEscape(chat.Type), xmlEscape(chat.Text), chat.Text)

	return n, err
}

// Roster asks for the chat roster.
func (c *Client) Roster() error {
	_, err := fmt.Fprintf(StanzaWriter, "<iq from='%s' type='get' id='roster1'><query xmlns='jabber:iq:roster'/></iq>\n", xmlEscape(c.jid))

	return err
}

// RFC 3920  C.1  Streams name space.
type streamFeatures struct {
	XMLName    xml.Name `xml:"http://etherx.jabber.org/streams features"`
	StartTLS   *tlsStartTLS
	Mechanisms saslMechanisms
	Bind       bindBind
	Session    bool
}

type streamError struct {
	XMLName xml.Name `xml:"http://etherx.jabber.org/streams error"`
	Any     xml.Name
	Text    string
}

// RFC 3920  C.3  TLS name space.
type tlsStartTLS struct {
	XMLName  xml.Name `xml:"urn:ietf:params:xml:ns:xmpp-tls starttls"`
	Required *string  `xml:"required"`
}

type tlsProceed struct {
	XMLName xml.Name `xml:"urn:ietf:params:xml:ns:xmpp-tls proceed"`
}

type tlsFailure struct {
	XMLName xml.Name `xml:"urn:ietf:params:xml:ns:xmpp-tls failure"`
}

// RFC 3920  C.4  SASL name space.
type saslMechanisms struct {
	XMLName   xml.Name `xml:"urn:ietf:params:xml:ns:xmpp-sasl mechanisms"`
	Mechanism []string `xml:"mechanism"`
}

type saslAuth struct {
	XMLName   xml.Name `xml:"urn:ietf:params:xml:ns:xmpp-sasl auth"`
	Mechanism string   `xml:",attr"`
}

type saslChallenge string

type saslRspAuth string

type saslResponse string

type saslAbort struct {
	XMLName xml.Name `xml:"urn:ietf:params:xml:ns:xmpp-sasl abort"`
}

type saslSuccess struct {
	XMLName xml.Name `xml:"urn:ietf:params:xml:ns:xmpp-sasl success"`
	Text    string   `xml:",chardata"`
}

type saslFailure struct {
	XMLName xml.Name `xml:"urn:ietf:params:xml:ns:xmpp-sasl failure"`
	Any     xml.Name `xml:",any"`
	Text    string   `xml:"text"`
}

// RFC 3920  C.5  Resource binding name space.
type bindBind struct {
	XMLName  xml.Name `xml:"urn:ietf:params:xml:ns:xmpp-bind bind"`
	Resource string
	Jid      string `xml:"jid"`
}

// RFC 3921  B.1  jabber:client.
type clientMessage struct {
	XMLName xml.Name `xml:"jabber:client message"`
	From    string   `xml:"from,attr"`
	ID      string   `xml:"id,attr"`
	To      string   `xml:"to,attr"`
	Type    string   `xml:"type,attr"` // chat, error, groupchat, headline, or normal

	// These should technically be []clientText, but string is much more convenient.
	Subject string `xml:"subject"`
	Body    string `xml:"body"`
	Thread  string `xml:"thread"`

	// Pubsub
	Event clientPubsubEvent `xml:"event"`

	// Any hasn't matched element
	Other []XMLElement `xml:",any"`

	Delay Delay `xml:"delay"`
}

func (m *clientMessage) OtherStrings() []string {
	a := make([]string, len(m.Other))
	for i, e := range m.Other {
		a[i] = e.String()
	}

	return a
}

type XMLElement struct {
	XMLName  xml.Name
	Attr     []xml.Attr `xml:",any,attr"` // Save the attributes of the xml element
	InnerXML string     `xml:",innerxml"`
}

func (e *XMLElement) String() string {
	var (
		r   = bytes.NewReader([]byte(e.InnerXML))
		d   = xml.NewDecoder(r)
		buf bytes.Buffer
	)

	for {
		tok, err := d.Token()

		if err != nil {
			break
		}

		switch v := tok.(type) {
		case xml.StartElement:
			err = d.Skip()
		case xml.CharData:
			_, err = buf.Write(v)
		}

		if err != nil {
			break
		}
	}

	return buf.String()
}

type Delay struct {
	Stamp string `xml:"stamp,attr"`
}

type clientText struct {
	Lang string `xml:",attr"`
	Body string `xml:"chardata"`
}

type clientPresence struct {
	XMLName xml.Name `xml:"jabber:client presence"`
	From    string   `xml:"from,attr"`
	ID      string   `xml:"id,attr"`
	To      string   `xml:"to,attr"`
	Type    string   `xml:"type,attr"` // error, probe, subscribe, subscribed, unavailable, unsubscribe, unsubscribed
	Lang    string   `xml:"lang,attr"`
	X       struct {
		Text  string `xml:",chardata"`
		Xmlns string `xml:"xmlns,attr"`
		Item  struct {
			Text        string `xml:",chardata"`
			Affiliation string `xml:"affiliation,attr"`
			Jid         string `xml:"jid,attr"`
			Role        string `xml:"role,attr"`
		} `xml:"item"`
	} `xml:"x"`
	Show     string `xml:"show"`   // away, chat, dnd, xa
	Status   string `xml:"status"` // sb []clientText
	Priority string `xml:"priority,attr"`
	Error    *clientError
}

type clientIQ struct {
	// info/query
	XMLName xml.Name   `xml:"jabber:client iq"`
	From    string     `xml:"from,attr"`
	ID      string     `xml:"id,attr"`
	To      string     `xml:"to,attr"`
	Type    string     `xml:"type,attr"` // error, get, result, set
	Query   XMLElement `xml:",any"`
	Error   clientError
	Bind    bindBind

	InnerXML []byte `xml:",innerxml"`
}

type clientError struct {
	XMLName  xml.Name `xml:"jabber:client error"`
	Code     string   `xml:",attr"`
	Type     string   `xml:"type,attr"`
	Any      xml.Name
	InnerXML []byte `xml:",innerxml"`
	Text     string
}

type clientQuery struct {
	Item []rosterItem
}

type rosterItem struct {
	XMLName      xml.Name `xml:"jabber:iq:roster item"`
	Jid          string   `xml:",attr"`
	Name         string   `xml:",attr"`
	Subscription string   `xml:",attr"`
	Group        []string
}

// Scan XML token stream to find next StartElement.
func nextStart(p *xml.Decoder) (xml.StartElement, error) {
	for {
		t, err := p.Token()
		if err != nil || t == nil {
			return xml.StartElement{}, err
		}

		switch t := t.(type) { //nolint:gocritic
		case xml.StartElement:
			return t, nil
		}
	}
}

// Scan XML token stream for next element and save into val.
// If val == nil, allocate new element based on proto map.
// Either way, return val.
func next(p *xml.Decoder) (xml.Name, interface{}, error) {
	// Read start element to find out what type we want.
	se, err := nextStart(p)
	if err != nil {
		return xml.Name{}, nil, err
	}

	// Put it in an interface and allocate one.
	var nv interface{}

	switch se.Name.Space + " " + se.Name.Local {
	case nsStream + " features":
		nv = &streamFeatures{}
	case nsStream + " error":
		nv = &streamError{}
	case nsTLS + " starttls":
		nv = &tlsStartTLS{}
	case nsTLS + " proceed":
		nv = &tlsProceed{}
	case nsTLS + " failure":
		nv = &tlsFailure{}
	case nsSASL + " mechanisms":
		nv = &saslMechanisms{}
	case nsSASL + " challenge":
		nv = ""
	case nsSASL + " response":
		nv = ""
	case nsSASL + " abort":
		nv = &saslAbort{}
	case nsSASL + " success":
		nv = &saslSuccess{}
	case nsSASL + " failure":
		nv = &saslFailure{}
	case nsBind + " bind":
		nv = &bindBind{}
	case nsClient + " message":
		nv = &clientMessage{}
	case nsClient + " presence":
		nv = &clientPresence{}
	case nsClient + " iq":
		nv = &clientIQ{}
	case nsClient + " error":
		nv = &clientError{}
	default:
		return xml.Name{}, nil, errors.New("unexpected XMPP message " +
			se.Name.Space + " <" + se.Name.Local + "/>")
	}

	// Unmarshal into that storage.
	if err = p.DecodeElement(nv, &se); err != nil {
		return xml.Name{}, nil, err
	}

	return se.Name, nv, err
}

func xmlEscape(s string) string {
	var b bytes.Buffer

	xml.Escape(&b, []byte(s))

	return b.String()
}

type tee struct {
	r io.Reader
	w io.Writer
}

func (t tee) Read(p []byte) (int, error) {
	n, err := t.r.Read(p)

	if n > 0 {
		if m, err := t.w.Write(p[0:n]); err != nil {
			return m, err
		}

		if m, err := t.w.Write([]byte("\n")); err != nil {
			return m, err
		}
	}

	return n, err
}