prosody: plugins/mod_tokenauth.lua@74b9e05af71e (annotated)

12981 74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12963 diff changeset	1	local base64 = require "prosody.util.encodings".base64;
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12963 diff changeset	2	local hashes = require "prosody.util.hashes";
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12963 diff changeset	3	local id = require "prosody.util.id";
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12963 diff changeset	4	local jid = require "prosody.util.jid";
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12963 diff changeset	5	local random = require "prosody.util.random";
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12963 diff changeset	6	local usermanager = require "prosody.core.usermanager";
74b9e05af71e plugins: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12963 diff changeset	7	local generate_identifier = require "prosody.util.id".short;
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	8
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	9	local token_store = module:open_store("auth_tokens", "map");
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	10
12653 86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	11	local function select_role(username, host, role)
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	12	if role then
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	13	return prosody.hosts[host].authz.get_role_by_name(role);
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	14	end
12666 07424992d7fc mod_authz_internal, and more: New iteration of role API Matthew Wild <mwild1@gmail.com> parents: 12653 diff changeset	15	return usermanager.get_user_role(username, host);
12653 86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	16	end
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	17
12917 012fa81d1f5d mod_tokenauth: Add 'purpose' constraint Matthew Wild <mwild1@gmail.com> parents: 12776 diff changeset	18	function create_jid_token(actor_jid, token_jid, token_role, token_ttl, token_data, token_purpose)
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	19	token_jid = jid.prep(token_jid);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	20	if not actor_jid or token_jid ~= actor_jid and not jid.compare(token_jid, actor_jid) then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	21	return nil, "not-authorized";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	22	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	23
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	24	local token_username, token_host, token_resource = jid.split(token_jid);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	25
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	26	if token_host ~= module.host then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	27	return nil, "invalid-host";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	28	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	29
12923 7c0e5c7eff7c mod_tokenauth: Fix misplaced closing parenthesis Kim Alvefur <zash@zash.se> parents: 12921 diff changeset	30	if (token_data and type(token_data) ~= "table") or (token_purpose and type(token_purpose) ~= "string") then
12918 2b4661bd39e2 mod_tokenauth: Add some sanity checking of the new optional parameters Matthew Wild <mwild1@gmail.com> parents: 12917 diff changeset	31	return nil, "bad-request";
2b4661bd39e2 mod_tokenauth: Add some sanity checking of the new optional parameters Matthew Wild <mwild1@gmail.com> parents: 12917 diff changeset	32	end
2b4661bd39e2 mod_tokenauth: Add some sanity checking of the new optional parameters Matthew Wild <mwild1@gmail.com> parents: 12917 diff changeset	33
12957 ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	34	local token_id = id.short();
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	35
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	36	local token_info = {
12957 ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	37	id = token_id;
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	38
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	39	owner = actor_jid;
10679 5efd6865486c mod_tokenauth: Track creation time of tokens Matthew Wild <mwild1@gmail.com> parents: 10678 diff changeset	40	created = os.time();
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	41	expires = token_ttl and (os.time() + token_ttl) or nil;
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	42	jid = token_jid;
12917 012fa81d1f5d mod_tokenauth: Add 'purpose' constraint Matthew Wild <mwild1@gmail.com> parents: 12776 diff changeset	43	purpose = token_purpose;
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	44
12653 86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	45	resource = token_resource;
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	46	role = token_role;
12776 daa654dbd8de mod_tokenauth: Allow attaching an arbitrary data table to a token Matthew Wild <mwild1@gmail.com> parents: 12747 diff changeset	47	data = token_data;
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	48	};
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	49
12957 ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	50	local token_secret = random.bytes(18);
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	51	local token = "secret-token:"..base64.encode("2;"..token_id..";"..token_secret..";"..jid.join(token_username, token_host));
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	52	token_store:set(token_username, token_id, {
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	53	secret_sha256 = hashes.sha256(token_secret, true);
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	54	token_info = token_info
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	55	});
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	56
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	57	return token, token_info;
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	58	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	59
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	60	local function parse_token(encoded_token)
12921 e4de42495fb7 mod_tokenauth: Gracefully handle missing tokens Matthew Wild <mwild1@gmail.com> parents: 12919 diff changeset	61	if not encoded_token then return nil; end
12957 ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	62	local encoded_data = encoded_token:match("^secret%-token:(.+)$");
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	63	if not encoded_data then return nil; end
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	64	local token = base64.decode(encoded_data);
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	65	if not token then return nil; end
12957 ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	66	local token_id, token_secret, token_jid = token:match("^2;([^;]+);([^;]+);(.+)$");
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	67	if not token_id then return nil; end
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	68	local token_user, token_host = jid.split(token_jid);
12957 ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	69	return token_id, token_user, token_host, token_secret;
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	70	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	71
12957 ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	72	local function _get_validated_token_info(token_id, token_user, token_host, token_secret)
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	73	if token_host ~= module.host then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	74	return nil, "invalid-host";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	75	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	76
12957 ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	77	local token, err = token_store:get(token_user, token_id);
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	78	if not token then
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	79	if err then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	80	return nil, "internal-error";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	81	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	82	return nil, "not-authorized";
12957 ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	83	elseif not token.secret_sha256 then -- older token format
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	84	token_store:set(token_user, token_id, nil);
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	85	return nil, "not-authorized";
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	86	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	87
12957 ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	88	-- Check provided secret
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	89	if not hashes.equals(hashes.sha256(token_secret, true), token.secret_sha256) then
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	90	return nil, "not-authorized";
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	91	end
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	92
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	93	local token_info = token.token_info;
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	94
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	95	if token_info.expires and token_info.expires < os.time() then
12747 19113f232423 mod_tokenauth: Remove expired tokens from storage Matthew Wild <mwild1@gmail.com> parents: 12746 diff changeset	96	token_store:set(token_user, token_id, nil);
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	97	return nil, "not-authorized";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	98	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	99
12746 126aefd2c4c6 mod_tokenauth: Invalidate tokens issued before most recent password change Matthew Wild <mwild1@gmail.com> parents: 12666 diff changeset	100	local account_info = usermanager.get_account_info(token_user, module.host);
126aefd2c4c6 mod_tokenauth: Invalidate tokens issued before most recent password change Matthew Wild <mwild1@gmail.com> parents: 12666 diff changeset	101	local password_updated_at = account_info and account_info.password_updated;
126aefd2c4c6 mod_tokenauth: Invalidate tokens issued before most recent password change Matthew Wild <mwild1@gmail.com> parents: 12666 diff changeset	102	if password_updated_at and password_updated_at > token_info.created then
12747 19113f232423 mod_tokenauth: Remove expired tokens from storage Matthew Wild <mwild1@gmail.com> parents: 12746 diff changeset	103	token_store:set(token_user, token_id, nil);
12746 126aefd2c4c6 mod_tokenauth: Invalidate tokens issued before most recent password change Matthew Wild <mwild1@gmail.com> parents: 12666 diff changeset	104	return nil, "not-authorized";
126aefd2c4c6 mod_tokenauth: Invalidate tokens issued before most recent password change Matthew Wild <mwild1@gmail.com> parents: 12666 diff changeset	105	end
126aefd2c4c6 mod_tokenauth: Invalidate tokens issued before most recent password change Matthew Wild <mwild1@gmail.com> parents: 12666 diff changeset	106
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	107	return token_info
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	108	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	109
12653 86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	110	function get_token_info(token)
12957 ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	111	local token_id, token_user, token_host, token_secret = parse_token(token);
12653 86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	112	if not token_id then
12956 a668bc1aa39d mod_tokenauth: Log error when token validation fails Matthew Wild <mwild1@gmail.com> parents: 12942 diff changeset	113	module:log("warn", "Failed to verify access token: %s", token_user);
12653 86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	114	return nil, "invalid-token-format";
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	115	end
12957 ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!) Matthew Wild <mwild1@gmail.com> parents: 12956 diff changeset	116	return _get_validated_token_info(token_id, token_user, token_host, token_secret);
12653 86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	117	end
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	118
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	119	function get_token_session(token, resource)
12963 e331210beeb2 mod_tokenauth: Fix traceback in get_token_session() Kim Alvefur <zash@zash.se> parents: 12957 diff changeset	120	local token_id, token_user, token_host, token_secret = parse_token(token);
12653 86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	121	if not token_id then
12956 a668bc1aa39d mod_tokenauth: Log error when token validation fails Matthew Wild <mwild1@gmail.com> parents: 12942 diff changeset	122	module:log("warn", "Failed to verify access token: %s", token_user);
12653 86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	123	return nil, "invalid-token-format";
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	124	end
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	125
12963 e331210beeb2 mod_tokenauth: Fix traceback in get_token_session() Kim Alvefur <zash@zash.se> parents: 12957 diff changeset	126	local token_info, err = _get_validated_token_info(token_id, token_user, token_host, token_secret);
12653 86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	127	if not token_info then return nil, err; end
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	128
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	129	return {
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	130	username = token_user;
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	131	host = token_host;
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	132	resource = token_info.resource or resource or generate_identifier();
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	133
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	134	role = select_role(token_user, token_host, token_info.role);
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	135	};
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	136	end
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	137
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth Matthew Wild <mwild1@gmail.com> parents: 10679 diff changeset	138
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	139	function revoke_token(token)
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	140	local token_id, token_user, token_host = parse_token(token);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	141	if not token_id then
12956 a668bc1aa39d mod_tokenauth: Log error when token validation fails Matthew Wild <mwild1@gmail.com> parents: 12942 diff changeset	142	module:log("warn", "Failed to verify access token: %s", token_user);
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	143	return nil, "invalid-token-format";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	144	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	145	if token_host ~= module.host then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	146	return nil, "invalid-host";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	147	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	148	return token_store:set(token_user, token_id, nil);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	149	end
12919 70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	150
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	151	function sasl_handler(auth_provider, purpose, extra)
12942 055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC) Kim Alvefur <zash@zash.se> parents: 12923 diff changeset	152	return function (sasl, token, realm, _authzid)
12919 70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	153	local token_info, err = get_token_info(token);
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	154	if not token_info then
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	155	module:log("debug", "SASL handler failed to verify token: %s", err);
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	156	return nil, nil, extra;
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	157	end
12942 055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC) Kim Alvefur <zash@zash.se> parents: 12923 diff changeset	158	local token_user, token_host, resource = jid.split(token_info.jid);
055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC) Kim Alvefur <zash@zash.se> parents: 12923 diff changeset	159	if realm ~= token_host or (purpose and token_info.purpose ~= purpose) then
12919 70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	160	return nil, nil, extra;
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	161	end
12942 055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC) Kim Alvefur <zash@zash.se> parents: 12923 diff changeset	162	if auth_provider.is_enabled and not auth_provider.is_enabled(token_user) then
12919 70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	163	return true, false, token_info;
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	164	end
12942 055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC) Kim Alvefur <zash@zash.se> parents: 12923 diff changeset	165	sasl.resource = resource;
055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC) Kim Alvefur <zash@zash.se> parents: 12923 diff changeset	166	sasl.token_info = token_info;
055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC) Kim Alvefur <zash@zash.se> parents: 12923 diff changeset	167	return token_user, true, token_info;
12919 70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	168	end;
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens Matthew Wild <mwild1@gmail.com> parents: 12918 diff changeset	169	end

author	Kim Alvefur <zash@zash.se>
	Fri, 24 Mar 2023 13:15:28 +0100
changeset 12981	74b9e05af71e
parent 12963	e331210beeb2
child 12984	6ebad8e16b3b
permissions	-rw-r--r--