--- a/mod_http_upload_external/README.markdown Fri Mar 12 21:32:03 2021 +0100
+++ b/mod_http_upload_external/README.markdown Sun Mar 14 17:19:38 2021 +0100
@@ -10,7 +10,7 @@
over HTTP to an external web server.
This module generates URLs that are signed using a HMAC. Any web service that can authenticate
-these URLs can be used.
+these URLs can be used.
Implementations
---------------
@@ -20,7 +20,7 @@
* [Go implementation, Prosody Filer](https://github.com/ThomasLeister/prosody-filer)
* [Perl implementation for nginx](https://github.com/weiss/ngx_http_upload)
-To implement your own service compatible with this module, check out the implementation notes below
+To implement your own service compatible with this module, check out the implementation notes below
(and if you publish your implementation - let us know!).
Configuration
@@ -71,6 +71,16 @@
Default is 100MB (100\*1024\*1024).
+Access
+------
+
+You may want to give upload access to additional entities such as components
+by using the `http_upload_access` config option.
+
+``` {.lua}
+http_upload_access = {"gateway.example.com"};
+```
+
Compatibility
=============
--- a/mod_http_upload_external/mod_http_upload_external.lua Fri Mar 12 21:32:03 2021 +0100
+++ b/mod_http_upload_external/mod_http_upload_external.lua Sun Mar 14 17:19:38 2021 +0100
@@ -11,6 +11,7 @@
local http = require "util.http";
local dataform = require "util.dataforms".new;
local HMAC = require "util.hashes".hmac_sha256;
+local jid = require "util.jid";
-- config
local file_size_limit = module:get_option_number(module.name .. "_file_size_limit", 100 * 1024 * 1024); -- 100 MB
@@ -18,6 +19,7 @@
module.name .. "_base_url is a required option");
local secret = assert(module:get_option_string(module.name .. "_secret"),
module.name .. "_secret is a required option");
+local access = module:get_option_set(module.name .. "_access", {});
local token_protocol = module:get_option_string(module.name .. "_protocol", "v1");
@@ -56,8 +58,11 @@
end
local function handle_request(origin, stanza, xmlns, filename, filesize, filetype)
- -- local clients only
- if origin.type ~= "c2s" then
+ local user_bare = jid.bare(stanza.attr.from);
+ local user_host = jid.host(user_bare);
+
+ -- local clients or whitelisted jids/hosts only
+ if not (origin.type == "c2s" or access:contains(user_bare) or access:contains(user_host)) then
module:log("debug", "Request for upload slot from a %s", origin.type);
origin.send(st.error_reply(stanza, "cancel", "not-authorized"));
return nil, nil;