Mercurial > prosody-modules
annotate mod_s2s_idle_timeout/mod_s2s_idle_timeout.lua @ 5193:2bb29ece216b
mod_http_oauth2: Implement stateless dynamic client registration
Replaces previous explicit registration that required either the
additional module mod_adhoc_oauth2_client or manually editing the
database. That method was enough to have something to test with, but
would not probably not scale easily.
Dynamic client registration allows creating clients on the fly, which
may be even easier in theory.
In order to not allow basically unauthenticated writes to the database,
we implement a stateless model here.
per_host_key := HMAC(config -> oauth2_registration_key, hostname)
client_id := JWT { client metadata } signed with per_host_key
client_secret := HMAC(per_host_key, client_id)
This should ensure everything we need to know is part of the client_id,
allowing redirects etc to be validated, and the client_secret can be
validated with only the client_id and the per_host_key.
A nonce injected into the client_id JWT should ensure nobody can submit
the same client metadata and retrieve the same client_secret
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 03 Mar 2023 21:14:19 +0100 |
| parents | 4e235e565693 |
| children |
| rev | line source |
|---|---|
|
127
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 local now = os.time; |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 local s2smanager = require "core.s2smanager"; |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 local timer = require "util.timer"; |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 local s2s_sessions = setmetatable({}, { __mode = "kv" }); |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 local idle_timeout = module:get_option("s2s_idle_timeout") or 300; |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 local check_interval = math.ceil(idle_timeout * 0.75); |
|
932
4e235e565693
mod_bidi, mod_dwd, mod_s2s_idle_timeout: Update for recent 0.9 changes (612467e263af)
Matthew Wild <mwild1@gmail.com>
parents:
127
diff
changeset
|
10 |
|
4e235e565693
mod_bidi, mod_dwd, mod_s2s_idle_timeout: Update for recent 0.9 changes (612467e263af)
Matthew Wild <mwild1@gmail.com>
parents:
127
diff
changeset
|
11 local function install_checks(session) |
|
127
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 if not session.last_received_time then |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 session.last_received_time = now(); |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 if session.direction == "incoming" then |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 local _data = session.data; |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 function session.data(conn, data) |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 session.last_received_time = now(); |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 return _data(conn, data); |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 end |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 else |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 local _sends2s = session.sends2s; |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 function session.sends2s(data) |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 session.last_received_time = now(); |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 return _sends2s(data); |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 end |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 end |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 s2s_sessions[session] = true; |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 end |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 end |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 |
|
932
4e235e565693
mod_bidi, mod_dwd, mod_s2s_idle_timeout: Update for recent 0.9 changes (612467e263af)
Matthew Wild <mwild1@gmail.com>
parents:
127
diff
changeset
|
31 module:hook("s2s-authenticated", function (event) |
|
4e235e565693
mod_bidi, mod_dwd, mod_s2s_idle_timeout: Update for recent 0.9 changes (612467e263af)
Matthew Wild <mwild1@gmail.com>
parents:
127
diff
changeset
|
32 install_checks(event.session); |
|
4e235e565693
mod_bidi, mod_dwd, mod_s2s_idle_timeout: Update for recent 0.9 changes (612467e263af)
Matthew Wild <mwild1@gmail.com>
parents:
127
diff
changeset
|
33 end); |
|
4e235e565693
mod_bidi, mod_dwd, mod_s2s_idle_timeout: Update for recent 0.9 changes (612467e263af)
Matthew Wild <mwild1@gmail.com>
parents:
127
diff
changeset
|
34 |
|
127
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 function check_idle_sessions(time) |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 time = time or now(); |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 for session in pairs(s2s_sessions) do |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 local last_received_time = session.last_received_time; |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 if last_received_time and time - last_received_time > idle_timeout then |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 module:log("debug", "Closing idle connection %s->%s", |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 session.from_host or "(unknown)", session.to_host or "(unknown)"); |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 session:close(); -- Close-on-idle isn't an error |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 s2s_sessions[session] = nil; |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 end |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 end |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 return check_interval; |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 end |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 timer.add_task(check_interval, check_idle_sessions); |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 function module.save() |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 return { s2s_sessions = s2s_sessions }; |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 end |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 function module.restore(data) |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 s2s_sessions = setmetatable(data.s2s_sessions or {}, { __mode = "kv" }); |
|
6c454d7208ae
mod_s2s_idle_timeout: Close idle connections after s2s_idle_timeout seconds, default 300s
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 end |