prosody-modules: mod_http_oauth2/mod_http_oauth2.lua@c4b9d4ba839b (annotated)

3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	1	local http = require "util.http";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	2	local jid = require "util.jid";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	3	local json = require "util.json";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	4	local usermanager = require "core.usermanager";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	5	local errors = require "util.error";
4260 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	6	local url = require "socket.url";
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	7	local uuid = require "util.uuid";
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	8	local encodings = require "util.encodings";
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	9	local base64 = encodings.base64;
3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	10
3919 80dffbbd056b mod_rest, mod_http_oauth2: Switch from mod_authtokens to mod_tokenauth per Prosody bf81523e2ff4 Matthew Wild <mwild1@gmail.com> parents: 3912 diff changeset	11	local tokens = module:depends("tokenauth");
3912 8ac5d9933106 mod_http_oauth2: Implement real tokens using mod_authtokens Matthew Wild <mwild1@gmail.com> parents: 3907 diff changeset	12
4260 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	13	local clients = module:open_store("oauth2_clients");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	14	local codes = module:open_store("oauth2_codes", "map");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	15
3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	16	local function oauth_error(err_name, err_desc)
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	17	return errors.new({
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	18	type = "modify";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	19	condition = "bad-request";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	20	code = err_name == "invalid_client" and 401 or 400;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	21	text = err_desc and (err_name..": "..err_desc) or err_name;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	22	context = { oauth2_response = { error = err_name, error_description = err_desc } };
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	23	});
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	24	end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	25
3922 dea6bea2ddd3 mod_http_oauth2: Refactor re-joining of JID out of token constructor Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	26	local function new_access_token(token_jid, scope, ttl)
3912 8ac5d9933106 mod_http_oauth2: Implement real tokens using mod_authtokens Matthew Wild <mwild1@gmail.com> parents: 3907 diff changeset	27	local token = tokens.create_jid_token(token_jid, token_jid, scope, ttl);
3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	28	return {
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	29	token_type = "bearer";
3912 8ac5d9933106 mod_http_oauth2: Implement real tokens using mod_authtokens Matthew Wild <mwild1@gmail.com> parents: 3907 diff changeset	30	access_token = token;
3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	31	expires_in = ttl;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	32	-- TODO: include refresh_token when implemented
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	33	};
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	34	end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	35
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	36	local grant_type_handlers = {};
4260 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	37	local response_type_handlers = {};
3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	38
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	39	function grant_type_handlers.password(params)
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	40	local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)"));
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	41	local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
3923 8ed261a08a9c mod_http_oauth2: Allow creation of full JID tokens Kim Alvefur <zash@zash.se> parents: 3922 diff changeset	42	local request_username, request_host, request_resource = jid.prepped_split(request_jid);
4241 a0ab7be0538d mod_http_oauth2: Fix typo not caught by luacheck Kim Alvefur <zash@zash.se> parents: 4232 diff changeset	43	if params.scope and params.scope ~= "" then
3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	44	return oauth_error("invalid_scope", "unknown scope requested");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	45	end
3912 8ac5d9933106 mod_http_oauth2: Implement real tokens using mod_authtokens Matthew Wild <mwild1@gmail.com> parents: 3907 diff changeset	46	if not (request_username and request_host) or request_host ~= module.host then
3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	47	return oauth_error("invalid_request", "invalid JID");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	48	end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	49	if usermanager.test_password(request_username, request_host, request_password) then
3923 8ed261a08a9c mod_http_oauth2: Allow creation of full JID tokens Kim Alvefur <zash@zash.se> parents: 3922 diff changeset	50	local granted_jid = jid.join(request_username, request_host, request_resource);
3922 dea6bea2ddd3 mod_http_oauth2: Refactor re-joining of JID out of token constructor Kim Alvefur <zash@zash.se> parents: 3919 diff changeset	51	return json.encode(new_access_token(granted_jid, request_host, nil, nil));
3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	52	end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	53	return oauth_error("invalid_grant", "incorrect credentials");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	54	end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	55
4260 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	56	function response_type_handlers.code(params, granted_jid)
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	57	if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	58	if not params.redirect_uri then return oauth_error("invalid_request", "missing 'redirect_uri'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	59	if params.scope and params.scope ~= "" then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	60	return oauth_error("invalid_scope", "unknown scope requested");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	61	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	62
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	63	local client, err = clients:get(params.client_id);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	64	module:log("debug", "clients:get(%q) --> %q, %q", params.client_id, client, err);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	65	if err then error(err); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	66	if not client then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	67	return oauth_error("invalid_client", "incorrect credentials");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	68	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	69
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	70	local code = uuid.generate();
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	71	assert(codes:set(params.client_id, code, { issued = os.time(), granted_jid = granted_jid, }));
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	72
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	73	local redirect = url.parse(params.redirect_uri);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	74	local query = http.formdecode(redirect.query or "");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	75	if type(query) ~= "table" then query = {}; end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	76	table.insert(query, { name = "code", value = code })
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	77	if params.state then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	78	table.insert(query, { name = "state", value = params.state });
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	79	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	80	redirect.query = http.formencode(query);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	81
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	82	return {
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	83	status_code = 302;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	84	headers = {
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	85	location = url.build(redirect);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	86	};
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	87	}
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	88	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	89
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	90	function grant_type_handlers.authorization_code(params)
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	91	if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	92	if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	93	if not params.code then return oauth_error("invalid_request", "missing 'code'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	94	--if not params.redirect_uri then return oauth_error("invalid_request", "missing 'redirect_uri'"); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	95	if params.scope and params.scope ~= "" then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	96	return oauth_error("invalid_scope", "unknown scope requested");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	97	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	98
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	99	local client, err = clients:get(params.client_id);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	100	if err then error(err); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	101	if not client or client.secret ~= params.client_secret then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	102	return oauth_error("invalid_client", "incorrect credentials");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	103	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	104	local code, err = codes:get(params.client_id, params.code);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	105	if err then error(err); end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	106	if not code or type(code) ~= "table" or os.difftime(os.time(), code.issued) > 900 then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	107	return oauth_error("invalid_client", "incorrect credentials");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	108	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	109	assert(codes:set(params.client_id, params.code, nil));
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	110
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	111	if client.redirect_uri and client.redirect_uri ~= params.redirect_uri then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	112	return oauth_error("invalid_client", "incorrect 'redirect_uri'");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	113	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	114
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	115	return json.encode(new_access_token(code.granted_jid, nil, nil));
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	116	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	117
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	118	local function check_credentials(request)
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	119	local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	120
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	121	if auth_type == "Basic" then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	122	local creds = base64.decode(auth_data);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	123	if not creds then return false; end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	124	local username, password = string.match(creds, "^([^:]+):(.*)$");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	125	if not username then return false; end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	126	username, password = encodings.stringprep.nodeprep(username), encodings.stringprep.saslprep(password);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	127	if not username then return false; end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	128	if not usermanager.test_password(username, module.host, password) then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	129	return false;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	130	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	131	return username;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	132	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	133	return nil;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	134	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	135
3924 cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	136	if module:get_host_type() == "component" then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	137	local component_secret = assert(module:get_option_string("component_secret"), "'component_secret' is a required setting when loaded on a Component");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	138
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	139	function grant_type_handlers.password(params)
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	140	local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)"));
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	141	local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	142	local request_username, request_host, request_resource = jid.prepped_split(request_jid);
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	143	if params.scope then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	144	return oauth_error("invalid_scope", "unknown scope requested");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	145	end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	146	if not request_host or request_host ~= module.host then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	147	return oauth_error("invalid_request", "invalid JID");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	148	end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	149	if request_password == component_secret then
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	150	local granted_jid = jid.join(request_username, request_host, request_resource);
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	151	return json.encode(new_access_token(granted_jid, request_host, nil, nil));
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	152	end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	153	return oauth_error("invalid_grant", "incorrect credentials");
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	154	end
4260 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	155
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	156	-- TODO How would this make sense with components?
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	157	-- Have an admin authenticate maybe?
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	158	response_type_handlers.code = nil;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	159	grant_type_handlers.authorization_code = nil;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	160	check_credentials = function () return false end
3924 cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	161	end
cf92e3b30c18 mod_http_oauth2: Use component_secret setting as password on Components Kim Alvefur <zash@zash.se> parents: 3923 diff changeset	162
3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	163	function handle_token_grant(event)
3938 469408682152 mod_http_oauth2: Set content type on successful repsponses (fixes #1501) Kim Alvefur <zash@zash.se> parents: 3924 diff changeset	164	event.response.headers.content_type = "application/json";
3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	165	local params = http.formdecode(event.request.body);
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	166	if not params then
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	167	return oauth_error("invalid_request");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	168	end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	169	local grant_type = params.grant_type
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	170	local grant_handler = grant_type_handlers[grant_type];
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	171	if not grant_handler then
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	172	return oauth_error("unsupported_grant_type");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	173	end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	174	return grant_handler(params);
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	175	end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	176
4260 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	177	local function handle_authorization_request(event)
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	178	if not event.request.headers.authorization then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	179	event.response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	180	return 401;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	181	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	182	local user = check_credentials(event.request);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	183	if not user then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	184	return 401;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	185	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	186	if not event.request.url.query then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	187	event.response.headers.content_type = "application/json";
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	188	return oauth_error("invalid_request");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	189	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	190	local params = http.formdecode(event.request.url.query);
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	191	if not params then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	192	return oauth_error("invalid_request");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	193	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	194	local response_type = params.response_type;
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	195	local response_handler = response_type_handlers[response_type];
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	196	if not response_handler then
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	197	event.response.headers.content_type = "application/json";
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	198	return oauth_error("unsupported_response_type");
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	199	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	200	return response_handler(params, jid.join(user, module.host));
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	201	end
c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	202
3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	203	module:depends("http");
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	204	module:provides("http", {
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	205	route = {
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	206	["POST /token"] = handle_token_grant;
4260 c4b9d4ba839b mod_http_oauth2: Authorization code flow Kim Alvefur <zash@zash.se> parents: 4241 diff changeset	207	["GET /authorize"] = handle_authorization_request;
3907 cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	208	};
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	209	});
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	210
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	211	local http_server = require "net.http.server";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	212
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	213	module:hook_object_event(http_server, "http-error", function (event)
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	214	local oauth2_response = event.error and event.error.context and event.error.context.oauth2_response;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	215	if not oauth2_response then
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	216	return;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	217	end
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	218	event.response.headers.content_type = "application/json";
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	219	event.response.status_code = event.error.code or 400;
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	220	return json.encode(oauth2_response);
cfeb93b80621 mod_http_oauth2: OAuth2 API (work in progress for developers only) Matthew Wild <mwild1@gmail.com> parents: diff changeset	221	end, 5);

author	Kim Alvefur <zash@zash.se>
	Sat, 21 Nov 2020 01:08:30 +0100
changeset 4260	c4b9d4ba839b
parent 4241	a0ab7be0538d
child 4261	145e8e8a247a
permissions	-rw-r--r--