Mercurial Mercurial > prosody > prosody-modules / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2/mod_http_oauth2.lua
changeset 4267 d3af5f94d6df
parent 4264 c539334dd01a
child 4269 7b4a73364363 
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sun Nov 22 01:31:27 2020 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun Nov 22 01:32:09 2020 +0100
@@ -1,3 +1,4 @@
+local hashes = require "util.hashes";
 local http = require "util.http";
 local jid = require "util.jid";
 local json = require "util.json";
@@ -90,6 +91,12 @@
 	}
 end
 
+local pepper = module:get_option_string("oauth2_client_pepper", "");
+
+local function verify_secret(stored, salt, i, secret)
+	return base64.decode(stored) == hashes.pbkdf2_hmac_sha256(secret, salt .. pepper, i);
+end
+
 function grant_type_handlers.authorization_code(params)
 	if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
 	if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
@@ -105,7 +112,7 @@
 	end
 	local client, err = clients:get(client_owner, client_id);
 	if err then error(err); end
-	if not client or client.client_secret ~= params.client_secret then
+	if not client or not verify_secret(client.secret_hash, client.salt, client.iteration_count, params.client_secret) then
 		module:log("debug", "client_secret mismatch");
 		return oauth_error("invalid_client", "incorrect credentials");
 	end
prosody-modules