author | Kim Alvefur <zash@zash.se> |
Fri, 24 Mar 2023 13:15:28 +0100 | |
changeset 12981 | 74b9e05af71e |
parent 12963 | e331210beeb2 |
child 12984 | 6ebad8e16b3b |
permissions | -rw-r--r-- |
12981
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12963
diff
changeset
|
1 |
local base64 = require "prosody.util.encodings".base64; |
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12963
diff
changeset
|
2 |
local hashes = require "prosody.util.hashes"; |
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12963
diff
changeset
|
3 |
local id = require "prosody.util.id"; |
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12963
diff
changeset
|
4 |
local jid = require "prosody.util.jid"; |
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12963
diff
changeset
|
5 |
local random = require "prosody.util.random"; |
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12963
diff
changeset
|
6 |
local usermanager = require "prosody.core.usermanager"; |
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12963
diff
changeset
|
7 |
local generate_identifier = require "prosody.util.id".short; |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 |
local token_store = module:open_store("auth_tokens", "map"); |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 |
|
12653
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
11 |
local function select_role(username, host, role) |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
12 |
if role then |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
13 |
return prosody.hosts[host].authz.get_role_by_name(role); |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
14 |
end |
12666
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12653
diff
changeset
|
15 |
return usermanager.get_user_role(username, host); |
12653
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
16 |
end |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
17 |
|
12917
012fa81d1f5d
mod_tokenauth: Add 'purpose' constraint
Matthew Wild <mwild1@gmail.com>
parents:
12776
diff
changeset
|
18 |
function create_jid_token(actor_jid, token_jid, token_role, token_ttl, token_data, token_purpose) |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 |
token_jid = jid.prep(token_jid); |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 |
if not actor_jid or token_jid ~= actor_jid and not jid.compare(token_jid, actor_jid) then |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 |
return nil, "not-authorized"; |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 |
end |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 |
local token_username, token_host, token_resource = jid.split(token_jid); |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 |
if token_host ~= module.host then |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
return nil, "invalid-host"; |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 |
end |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 |
|
12923
7c0e5c7eff7c
mod_tokenauth: Fix misplaced closing parenthesis
Kim Alvefur <zash@zash.se>
parents:
12921
diff
changeset
|
30 |
if (token_data and type(token_data) ~= "table") or (token_purpose and type(token_purpose) ~= "string") then |
12918
2b4661bd39e2
mod_tokenauth: Add some sanity checking of the new optional parameters
Matthew Wild <mwild1@gmail.com>
parents:
12917
diff
changeset
|
31 |
return nil, "bad-request"; |
2b4661bd39e2
mod_tokenauth: Add some sanity checking of the new optional parameters
Matthew Wild <mwild1@gmail.com>
parents:
12917
diff
changeset
|
32 |
end |
2b4661bd39e2
mod_tokenauth: Add some sanity checking of the new optional parameters
Matthew Wild <mwild1@gmail.com>
parents:
12917
diff
changeset
|
33 |
|
12957
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
34 |
local token_id = id.short(); |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
35 |
|
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 |
local token_info = { |
12957
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
37 |
id = token_id; |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
38 |
|
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 |
owner = actor_jid; |
10679
5efd6865486c
mod_tokenauth: Track creation time of tokens
Matthew Wild <mwild1@gmail.com>
parents:
10678
diff
changeset
|
40 |
created = os.time(); |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 |
expires = token_ttl and (os.time() + token_ttl) or nil; |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 |
jid = token_jid; |
12917
012fa81d1f5d
mod_tokenauth: Add 'purpose' constraint
Matthew Wild <mwild1@gmail.com>
parents:
12776
diff
changeset
|
43 |
purpose = token_purpose; |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 |
|
12653
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
45 |
resource = token_resource; |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
46 |
role = token_role; |
12776
daa654dbd8de
mod_tokenauth: Allow attaching an arbitrary data table to a token
Matthew Wild <mwild1@gmail.com>
parents:
12747
diff
changeset
|
47 |
data = token_data; |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 |
}; |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 |
|
12957
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
50 |
local token_secret = random.bytes(18); |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
51 |
local token = "secret-token:"..base64.encode("2;"..token_id..";"..token_secret..";"..jid.join(token_username, token_host)); |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
52 |
token_store:set(token_username, token_id, { |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
53 |
secret_sha256 = hashes.sha256(token_secret, true); |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
54 |
token_info = token_info |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
55 |
}); |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 |
return token, token_info; |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 |
end |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 |
local function parse_token(encoded_token) |
12921
e4de42495fb7
mod_tokenauth: Gracefully handle missing tokens
Matthew Wild <mwild1@gmail.com>
parents:
12919
diff
changeset
|
61 |
if not encoded_token then return nil; end |
12957
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
62 |
local encoded_data = encoded_token:match("^secret%-token:(.+)$"); |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
63 |
if not encoded_data then return nil; end |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
64 |
local token = base64.decode(encoded_data); |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 |
if not token then return nil; end |
12957
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
66 |
local token_id, token_secret, token_jid = token:match("^2;([^;]+);([^;]+);(.+)$"); |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
67 |
if not token_id then return nil; end |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 |
local token_user, token_host = jid.split(token_jid); |
12957
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
69 |
return token_id, token_user, token_host, token_secret; |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 |
end |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 |
|
12957
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
72 |
local function _get_validated_token_info(token_id, token_user, token_host, token_secret) |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
73 |
if token_host ~= module.host then |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
74 |
return nil, "invalid-host"; |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
75 |
end |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
76 |
|
12957
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
77 |
local token, err = token_store:get(token_user, token_id); |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
78 |
if not token then |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
79 |
if err then |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
80 |
return nil, "internal-error"; |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
81 |
end |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
82 |
return nil, "not-authorized"; |
12957
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
83 |
elseif not token.secret_sha256 then -- older token format |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
84 |
token_store:set(token_user, token_id, nil); |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
85 |
return nil, "not-authorized"; |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
86 |
end |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
87 |
|
12957
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
88 |
-- Check provided secret |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
89 |
if not hashes.equals(hashes.sha256(token_secret, true), token.secret_sha256) then |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
90 |
return nil, "not-authorized"; |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
91 |
end |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
92 |
|
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
93 |
local token_info = token.token_info; |
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
94 |
|
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
95 |
if token_info.expires and token_info.expires < os.time() then |
12747
19113f232423
mod_tokenauth: Remove expired tokens from storage
Matthew Wild <mwild1@gmail.com>
parents:
12746
diff
changeset
|
96 |
token_store:set(token_user, token_id, nil); |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
97 |
return nil, "not-authorized"; |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
98 |
end |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
99 |
|
12746
126aefd2c4c6
mod_tokenauth: Invalidate tokens issued before most recent password change
Matthew Wild <mwild1@gmail.com>
parents:
12666
diff
changeset
|
100 |
local account_info = usermanager.get_account_info(token_user, module.host); |
126aefd2c4c6
mod_tokenauth: Invalidate tokens issued before most recent password change
Matthew Wild <mwild1@gmail.com>
parents:
12666
diff
changeset
|
101 |
local password_updated_at = account_info and account_info.password_updated; |
126aefd2c4c6
mod_tokenauth: Invalidate tokens issued before most recent password change
Matthew Wild <mwild1@gmail.com>
parents:
12666
diff
changeset
|
102 |
if password_updated_at and password_updated_at > token_info.created then |
12747
19113f232423
mod_tokenauth: Remove expired tokens from storage
Matthew Wild <mwild1@gmail.com>
parents:
12746
diff
changeset
|
103 |
token_store:set(token_user, token_id, nil); |
12746
126aefd2c4c6
mod_tokenauth: Invalidate tokens issued before most recent password change
Matthew Wild <mwild1@gmail.com>
parents:
12666
diff
changeset
|
104 |
return nil, "not-authorized"; |
126aefd2c4c6
mod_tokenauth: Invalidate tokens issued before most recent password change
Matthew Wild <mwild1@gmail.com>
parents:
12666
diff
changeset
|
105 |
end |
126aefd2c4c6
mod_tokenauth: Invalidate tokens issued before most recent password change
Matthew Wild <mwild1@gmail.com>
parents:
12666
diff
changeset
|
106 |
|
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
107 |
return token_info |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
108 |
end |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
109 |
|
12653
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
110 |
function get_token_info(token) |
12957
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
111 |
local token_id, token_user, token_host, token_secret = parse_token(token); |
12653
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
112 |
if not token_id then |
12956
a668bc1aa39d
mod_tokenauth: Log error when token validation fails
Matthew Wild <mwild1@gmail.com>
parents:
12942
diff
changeset
|
113 |
module:log("warn", "Failed to verify access token: %s", token_user); |
12653
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
114 |
return nil, "invalid-token-format"; |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
115 |
end |
12957
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12956
diff
changeset
|
116 |
return _get_validated_token_info(token_id, token_user, token_host, token_secret); |
12653
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
117 |
end |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
118 |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
119 |
function get_token_session(token, resource) |
12963
e331210beeb2
mod_tokenauth: Fix traceback in get_token_session()
Kim Alvefur <zash@zash.se>
parents:
12957
diff
changeset
|
120 |
local token_id, token_user, token_host, token_secret = parse_token(token); |
12653
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
121 |
if not token_id then |
12956
a668bc1aa39d
mod_tokenauth: Log error when token validation fails
Matthew Wild <mwild1@gmail.com>
parents:
12942
diff
changeset
|
122 |
module:log("warn", "Failed to verify access token: %s", token_user); |
12653
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
123 |
return nil, "invalid-token-format"; |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
124 |
end |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
125 |
|
12963
e331210beeb2
mod_tokenauth: Fix traceback in get_token_session()
Kim Alvefur <zash@zash.se>
parents:
12957
diff
changeset
|
126 |
local token_info, err = _get_validated_token_info(token_id, token_user, token_host, token_secret); |
12653
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
127 |
if not token_info then return nil, err; end |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
128 |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
129 |
return { |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
130 |
username = token_user; |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
131 |
host = token_host; |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
132 |
resource = token_info.resource or resource or generate_identifier(); |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
133 |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
134 |
role = select_role(token_user, token_host, token_info.role); |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
135 |
}; |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
136 |
end |
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
137 |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10679
diff
changeset
|
138 |
|
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
139 |
function revoke_token(token) |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
140 |
local token_id, token_user, token_host = parse_token(token); |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
141 |
if not token_id then |
12956
a668bc1aa39d
mod_tokenauth: Log error when token validation fails
Matthew Wild <mwild1@gmail.com>
parents:
12942
diff
changeset
|
142 |
module:log("warn", "Failed to verify access token: %s", token_user); |
10672
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
143 |
return nil, "invalid-token-format"; |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
144 |
end |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
145 |
if token_host ~= module.host then |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
146 |
return nil, "invalid-host"; |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
147 |
end |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
148 |
return token_store:set(token_user, token_id, nil); |
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
149 |
end |
12919
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
150 |
|
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
151 |
function sasl_handler(auth_provider, purpose, extra) |
12942
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12923
diff
changeset
|
152 |
return function (sasl, token, realm, _authzid) |
12919
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
153 |
local token_info, err = get_token_info(token); |
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
154 |
if not token_info then |
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
155 |
module:log("debug", "SASL handler failed to verify token: %s", err); |
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
156 |
return nil, nil, extra; |
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
157 |
end |
12942
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12923
diff
changeset
|
158 |
local token_user, token_host, resource = jid.split(token_info.jid); |
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12923
diff
changeset
|
159 |
if realm ~= token_host or (purpose and token_info.purpose ~= purpose) then |
12919
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
160 |
return nil, nil, extra; |
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
161 |
end |
12942
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12923
diff
changeset
|
162 |
if auth_provider.is_enabled and not auth_provider.is_enabled(token_user) then |
12919
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
163 |
return true, false, token_info; |
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
164 |
end |
12942
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12923
diff
changeset
|
165 |
sasl.resource = resource; |
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12923
diff
changeset
|
166 |
sasl.token_info = token_info; |
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12923
diff
changeset
|
167 |
return token_user, true, token_info; |
12919
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
168 |
end; |
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12918
diff
changeset
|
169 |
end |