Matthew Wild <mwild1@gmail.com> [Sun, 26 Mar 2023 16:46:48 +0100] rev 13001
mod_tokenauth: Support for creating sub-tokens
Properties of sub-tokens:
- They share the same id as their parent token
- Sub-tokens may not have their own sub-tokens (but may have sibling tokens)
- They always have the same or shorter lifetime compared to their parent token
- Revoking a parent token revokes all sub-tokens
- Sub-tokens always have the same JID as the parent token
- They do not have their own 'accessed' property - accessing a sub-token
updates the parent token's accessed time
Although this is a generic API, it is designed to at least fill the needs of
OAuth2 refresh + access tokens (where the parent token is the refresh token
and the sub-tokens are access tokens).
Matthew Wild <mwild1@gmail.com> [Sun, 26 Mar 2023 15:53:27 +0100] rev 13000
mod_tokenauth: return error if storage of new token fails
Matthew Wild <mwild1@gmail.com> [Sun, 26 Mar 2023 14:06:04 +0100] rev 12999
moduleapi: Add 'peek' to :may() and new :could() helper to suppress logging
The current method logs scary "access denied" messages on failure - this is
generally very useful when debugging access control stuff, but in some cases
the call is simply a check to see if someone *could* perform an action, even
if they haven't requested it yet. One example is determining whether to show
the user as an admin in disco.
The 'peek' parameter, if true, will suppress such logging.
The :could() method is just a simple helper that can make the calling code a
bit more readable (suggested by Zash).
Matthew Wild <mwild1@gmail.com> [Sat, 25 Mar 2023 19:38:41 +0000] rev 12998
moduleapi: may: Fail early if a local session has no role assigned
We expect every session to explicitly have a role assigned. Falling back to
any kind of "default" role (even the user's default role) in the absence of
an explicit role could open up the possibility of accidental privilege
escalation.
Kim Alvefur <zash@zash.se> [Sun, 26 Mar 2023 16:51:33 +0200] rev 12997
core.usermanager: Correct formatting of not implemented error
Spaces, no hyphen, apparently.
Kim Alvefur <zash@zash.se> [Sun, 26 Mar 2023 16:45:34 +0200] rev 12996
mod_admin_shell: Enable user after creation with role
Fixes that otherwise the user was created in a disabled state and left
as such.
Kim Alvefur <zash@zash.se> [Sun, 26 Mar 2023 16:45:23 +0200] rev 12995
mod_admin_shell: Simplify user creation when no role given
Idea here is to prevent a user from being created with the default role
if a different role was given, but that dance wouldn't be needed if no
role is provided.
Kim Alvefur <zash@zash.se> [Sun, 26 Mar 2023 16:07:34 +0200] rev 12994
util.jsonschema: Reorder type definition by specification, section
Also some comment headers and missing properties
Kim Alvefur <zash@zash.se> [Sun, 26 Mar 2023 15:20:07 +0200] rev 12993
util.jsonschema: Implement 'dependentSchemas'
If this object key exists then this schema must validate against the
current object. Seems useful.
Kim Alvefur <zash@zash.se> [Sun, 26 Mar 2023 15:19:14 +0200] rev 12992
util.jsonschema: Implement 'dependentRequired'
If this field exists, then these fields must also exist.