prosody: plugins/mod_tokenauth.lua@3784a8ce0596 (annotated)

10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	1	local id = require "util.id";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	2	local jid = require "util.jid";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	3	local base64 = require "util.encodings".base64;
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	4
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	5	local token_store = module:open_store("auth_tokens", "map");
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	6
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	7	function create_jid_token(actor_jid, token_jid, token_scope, token_ttl)
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	8	token_jid = jid.prep(token_jid);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	9	if not actor_jid or token_jid ~= actor_jid and not jid.compare(token_jid, actor_jid) then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	10	return nil, "not-authorized";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	11	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	12
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	13	local token_username, token_host, token_resource = jid.split(token_jid);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	14
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	15	if token_host ~= module.host then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	16	return nil, "invalid-host";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	17	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	18
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	19	local token_info = {
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	20	owner = actor_jid;
10679 5efd6865486c mod_tokenauth: Track creation time of tokens Matthew Wild <mwild1@gmail.com> parents: 10678 diff changeset	21	created = os.time();
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	22	expires = token_ttl and (os.time() + token_ttl) or nil;
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	23	jid = token_jid;
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	24	session = {
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	25	username = token_username;
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	26	host = token_host;
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	27	resource = token_resource;
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	28
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	29	auth_scope = token_scope;
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	30	};
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	31	};
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	32
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	33	local token_id = id.long();
10678 4459afac4d13 mod_tokenauth: Handle tokens issued to bare hosts (eg components) Kim Alvefur <zash@zash.se> parents: 10673 diff changeset	34	local token = base64.encode("1;"..jid.join(token_username, token_host)..";"..token_id);
10672 25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	35	token_store:set(token_username, token_id, token_info);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	36
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	37	return token, token_info;
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	38	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	39
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	40	local function parse_token(encoded_token)
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	41	local token = base64.decode(encoded_token);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	42	if not token then return nil; end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	43	local token_jid, token_id = token:match("^1;([^;]+);(.+)$");
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	44	if not token_jid then return nil; end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	45	local token_user, token_host = jid.split(token_jid);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	46	return token_id, token_user, token_host;
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	47	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	48
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	49	function get_token_info(token)
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	50	local token_id, token_user, token_host = parse_token(token);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	51	if not token_id then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	52	return nil, "invalid-token-format";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	53	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	54	if token_host ~= module.host then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	55	return nil, "invalid-host";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	56	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	57
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	58	local token_info, err = token_store:get(token_user, token_id);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	59	if not token_info then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	60	if err then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	61	return nil, "internal-error";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	62	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	63	return nil, "not-authorized";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	64	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	65
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	66	if token_info.expires and token_info.expires < os.time() then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	67	return nil, "not-authorized";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	68	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	69
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	70	return token_info
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	71	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	72
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	73	function revoke_token(token)
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	74	local token_id, token_user, token_host = parse_token(token);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	75	if not token_id then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	76	return nil, "invalid-token-format";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	77	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	78	if token_host ~= module.host then
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	79	return nil, "invalid-host";
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	80	end
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	81	return token_store:set(token_user, token_id, nil);
25c84c0a66fd mod_authtokens: New module for managing auth tokens Matthew Wild <mwild1@gmail.com> parents: diff changeset	82	end

author	Kim Alvefur <zash@zash.se>
	Mon, 12 Dec 2022 07:07:13 +0100
branch	0.12
changeset 12803	3784a8ce0596
parent 10679	5efd6865486c
child 12653	86e1187f6274
permissions	-rw-r--r--