Mercurial > prosody-modules
annotate mod_auth_ha1/mod_auth_ha1.lua @ 5407:149634647b48
mod_http_oauth2: Don't issue client_secret when not using authentication
This is pretty much only for implicit flow, which is considered insecure
anyway, so this is of limited value. If we delete all the implicit flow
code, this could be reverted.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 02 May 2023 16:39:32 +0200 |
parents | 31c4d92a81e5 |
children |
rev | line source |
---|---|
1472
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 -- Prosody IM |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 -- Copyright (C) 2014 Matthew Wild |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 -- |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 -- This project is MIT/X11 licensed. Please see the |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 -- COPYING file in the source package for more information. |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 -- |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 local usermanager = require "core.usermanager"; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 local new_sasl = require "util.sasl".new; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 local nodeprep = require "util.encodings".stringprep.nodeprep; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 local nameprep = require "util.encodings".stringprep.nameprep; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 local md5 = require "util.hashes".md5; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 local host = module.host; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 local auth_filename = module:get_option_string("auth_ha1_file", "auth.txt"); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 local auth_data = {}; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 function reload_auth_data() |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 local f, err = io.open(auth_filename); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 if not f then |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 module:log("error", "Failed to read from auth file: %s", err); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 return; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 auth_data = {}; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 local line_number, imported_count, not_authorized_count = 0, 0, 0; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 for line in f:lines() do |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 line_number = line_number + 1; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 local username, hash, realm, state = line:match("^([^:]+):(%x+):([^:]+):(.+)$"); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 if not username then |
1473
31c4d92a81e5
mod_auth_ha1: Skip commented lines
Matthew Wild <mwild1@gmail.com>
parents:
1472
diff
changeset
|
32 if line:sub(1,1) ~= "#" then |
31c4d92a81e5
mod_auth_ha1: Skip commented lines
Matthew Wild <mwild1@gmail.com>
parents:
1472
diff
changeset
|
33 module:log("error", "Unable to parse line %d of auth file, skipping", line_number); |
31c4d92a81e5
mod_auth_ha1: Skip commented lines
Matthew Wild <mwild1@gmail.com>
parents:
1472
diff
changeset
|
34 end |
1472
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 else |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 username, realm = nodeprep(username), nameprep(realm); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 if not username then |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 module:log("error", "Invalid username on line %d of auth file, skipping", line_number); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 elseif not realm then |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 module:log("error", "Invalid hostname/realm on line %d of auth file, skipping", line_number); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 elseif state ~= "authorized" then |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 not_authorized_count = not_authorized_count + 1; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 elseif realm == host then |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 auth_data[username] = hash; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 imported_count = imported_count + 1; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 f:close(); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 module:log("debug", "Loaded %d accounts from auth file (%d authorized)", imported_count, imported_count-not_authorized_count); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 function module.load() |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 reload_auth_data(); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 module:hook_global("config-reloaded", reload_auth_data); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 -- define auth provider |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 local provider = {}; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 function provider.test_password(username, password) |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
63 module:log("debug", "test password for user %s at host %s, %s", username, host, password); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 local test_hash = md5(username..":"..host..":"..password, true); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 if test_hash == auth_data[username] then |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 return true; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
69 else |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 return nil, "Auth failed. Invalid username or password."; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
72 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
73 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
74 function provider.set_password(username, password) |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
75 return nil, "Changing passwords not supported"; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
76 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
77 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
78 function provider.user_exists(username) |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
79 if not auth_data[username] then |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
80 module:log("debug", "account not found for username '%s' at host '%s'", username, host); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
81 return nil, "Auth failed. Invalid username"; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
82 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
83 return true; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
84 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
85 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
86 function provider.create_user(username, password) |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
87 return nil, "User creation not supported"; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
88 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
89 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
90 function provider.delete_user(username) |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
91 return nil , "User deletion not supported"; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
92 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
93 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
94 function provider.get_sasl_handler() |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
95 return new_sasl(host, { |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
96 plain_test = function(sasl, username, password, realm) |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
97 return usermanager.test_password(username, realm, password), true; |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
98 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
99 }); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
100 end |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
101 |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
102 module:provides("auth", provider); |
d44926f39f00
mod_auth_ha1: Authentication module for 'HA1' hashed credentials in a text file, as used by reTurnServer
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
103 |