12 |
12 |
13 local tokens = module:depends("tokenauth"); |
13 local tokens = module:depends("tokenauth"); |
14 |
14 |
15 local clients = module:open_store("oauth2_clients", "map"); |
15 local clients = module:open_store("oauth2_clients", "map"); |
16 |
16 |
17 local function filter_scopes(request_jid, requested_scope_string) --luacheck: ignore 212/requested_scope_string |
17 local function filter_scopes(username, host, requested_scope_string) |
18 -- We currently don't really support scopes, so override |
18 if host ~= module.host then |
19 -- to whatever real permissions the user has |
19 return usermanager.get_jid_role(username.."@"..host, module.host).name; |
20 if usermanager.is_admin(request_jid, module.host) then |
20 end |
21 return "prosody:scope:admin"; |
21 |
22 end |
22 if requested_scope_string then -- Specific role requested |
23 return "prosody:scope:default"; |
23 -- TODO: The requested scope string is technically a space-delimited list |
|
24 -- of scopes, but for simplicity we're mapping this slot to role names. |
|
25 local user_roles = usermanager.get_user_roles(username, module.host); |
|
26 if user_roles[requested_scope_string] then |
|
27 return requested_scope_string; |
|
28 end |
|
29 end |
|
30 |
|
31 return usermanager.get_user_default_role(username, module.host).name; |
24 end |
32 end |
25 |
33 |
26 local function code_expires_in(code) |
34 local function code_expires_in(code) |
27 return os.difftime(os.time(), code.issued); |
35 return os.difftime(os.time(), code.issued); |
28 end |
36 end |
79 if not usermanager.test_password(request_username, request_host, request_password) then |
87 if not usermanager.test_password(request_username, request_host, request_password) then |
80 return oauth_error("invalid_grant", "incorrect credentials"); |
88 return oauth_error("invalid_grant", "incorrect credentials"); |
81 end |
89 end |
82 |
90 |
83 local granted_jid = jid.join(request_username, request_host, request_resource); |
91 local granted_jid = jid.join(request_username, request_host, request_resource); |
84 local granted_scopes = filter_scopes(granted_jid, params.scope); |
92 local granted_scopes = filter_scopes(request_username, request_host, params.scope); |
85 return json.encode(new_access_token(granted_jid, granted_scopes, nil)); |
93 return json.encode(new_access_token(granted_jid, granted_scopes, nil)); |
86 end |
94 end |
87 |
95 |
88 function response_type_handlers.code(params, granted_jid) |
96 function response_type_handlers.code(params, granted_jid) |
89 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
97 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
97 if err then error(err); end |
105 if err then error(err); end |
98 if not client then |
106 if not client then |
99 return oauth_error("invalid_client", "incorrect credentials"); |
107 return oauth_error("invalid_client", "incorrect credentials"); |
100 end |
108 end |
101 |
109 |
102 local granted_scopes = filter_scopes(granted_jid, params.scope); |
110 local granted_scopes = filter_scopes(client_owner, client_host, params.scope); |
103 |
111 |
104 local code = uuid.generate(); |
112 local code = uuid.generate(); |
105 local ok = codes:set(params.client_id .. "#" .. code, { |
113 local ok = codes:set(params.client_id .. "#" .. code, { |
106 issued = os.time(); |
114 issued = os.time(); |
107 granted_jid = granted_jid; |
115 granted_jid = granted_jid; |