Mercurial Mercurial > prosody > prosody / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
util/sasl/oauthbearer.lua
author Matthew Wild <mwild1@gmail.com>
Wed, 15 Mar 2023 12:02:23 +0000
changeset 12941 23b20ede9c34
parent 12940 b796e08e6376
child 12942 055b03d3059b
permissions -rw-r--r--
util.sasl.oauthbearer: Fix syntax error in b796e08e6376

local saslprep = require "util.encodings".stringprep.saslprep;
local nodeprep = require "util.encodings".stringprep.nodeprep;
local jid = require "util.jid";
local json = require "util.json";
local log = require "util.logger".init("sasl");
local _ENV = nil;


local function oauthbearer(self, message)
	if not message then
		return "failure", "malformed-request";
	end

	if message == "\001" then
		return "failure", "not-authorized";
	end

	local gs2_authzid, kvpairs = message:match("n,a=([^,]+),(.+)$");
	if not gs2_authzid then
		return "failure", "malformed-request";
	end

	local auth_header;
	for k, v in kvpairs:gmatch("([a-zA-Z]+)=([\033-\126 \009\r\n]*)\001") do
		if k == "auth" then
			auth_header = v;
			break;
		end
	end

	if not auth_header then
		return "failure", "malformed-request";
	end

	local username = jid.prepped_split(gs2_authzid);

	if not username or username == "" then
		return "failure", "malformed-request", "Expected authorization identity in the username@hostname format";
	end

	-- SASLprep username
	username = saslprep(username);

	if not username or username == "" then
		log("debug", "Username violates SASLprep.");
		return "failure", "malformed-request", "Invalid username.";
	end

	local _nodeprep = self.profile.nodeprep;
	if _nodeprep ~= false then
		username = (_nodeprep or nodeprep)(username);
		if not username or username == "" then
			return "failure", "malformed-request", "Invalid username or password."
		end
	end

	self.username = username;

	local token = auth_header:match("^Bearer (.+)$");

	local correct, state, token_info = self.profile.oauthbearer(self, username, token, self.realm);

	if state == false then
		return "failure", "account-disabled";
	elseif state == nil or not correct then
		-- For token-level errors, RFC 7628 demands use of a JSON-encoded
		-- challenge response upon failure. We relay additional info from
		-- the auth backend if available.
		return "challenge", json.encode({
			status = token_info and token_info.status or "invalid_token";
			scope = token_info and token_info.scope or nil;
			["openid-configuration"] = token_info and token_info.oidc_discovery_url or nil;
		});
	end

	self.resource = token_info.resource;
	self.role = token_info.role;
	self.token_info = token_info;

	return "success";
end

local function init(registerMechanism)
	registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer);
end

return {
	init = init;
}
prosody