prosody-modules: mod_muc_http_auth/mod_muc_http

annotate mod_muc_http_auth/mod_muc_http_auth.lua @ 4515:2e33eeafe962

mod_muc_markers: Prevent any markers from reaching the archive, even if untracked Original intention was to leave alone things that this module isn't handling. However markers in archives are just problematic without more advanced logic about what is markable and what is not. It also requires a more advanced query in mod_muc_rai to determine the latest markable message instead of the latest archived message. I'd rather keep the "is archivable" and "is markable" definition the same for simplicity. I don't want to introduce yet another set of rules for no reason. No markers in MAM.

author	Matthew Wild <mwild1@gmail.com>
date	Mon, 22 Mar 2021 15:55:02 +0000
parents	9606e7a63a69
children	4b3f054666e6

rev	line source
4296 08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	1 local wait_for = require "util.async".wait_for;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	2 local http = require "net.http";
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	3 local json = require "util.json";
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	4 local st = require "util.stanza";
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	5 local jid_node = require "util.jid".node;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	6 local jid_bare = require "util.jid".bare;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	7
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	8 local authorization_url = module:get_option("muc_http_auth_url", "")
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	9 local enabled_for = module:get_option_set("muc_http_auth_enabled_for", nil)
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	10 local disabled_for = module:get_option_set("muc_http_auth_disabled_for", nil)
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	11 local insecure = module:get_option("muc_http_auth_insecure", false) --For development purposes
4299 8006da2cf44c For deployments that have https://hg.prosody.im/trunk/file/tip/plugins/muc/register.lib.lua#l7 and use https://modules.prosody.im/mod_muc_http_auth.html users can still register to a MUC even if they are not allowed to join. That means they would receive RAI or RMN, for instance. Seve Ferrer <seve@delape.net> parents: 4296 diff changeset	12 local authorize_registration = module:get_option("muc_http_auth_authorize_registration", false)
4322 9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login Seve Ferrer <seve@delape.net> parents: 4319 diff changeset	13 local authorization_header = module:get_option("muc_http_auth_authorization_header", nil)
9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login Seve Ferrer <seve@delape.net> parents: 4319 diff changeset	14
9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login Seve Ferrer <seve@delape.net> parents: 4319 diff changeset	15 local options = {method="GET", insecure=insecure}
9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login Seve Ferrer <seve@delape.net> parents: 4319 diff changeset	16 if authorization_header then
9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login Seve Ferrer <seve@delape.net> parents: 4319 diff changeset	17 options.headers = {["Authorization"] = authorization_header};
9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login Seve Ferrer <seve@delape.net> parents: 4319 diff changeset	18 end
4296 08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	19
4304 aec8148df26a mod_muc_http_auth: Bugfix: Not properly listening on register IQs Seve Ferrer <seve@delape.net> parents: 4303 diff changeset	20 local verbs = {presence='join', iq='register'};
aec8148df26a mod_muc_http_auth: Bugfix: Not properly listening on register IQs Seve Ferrer <seve@delape.net> parents: 4303 diff changeset	21
4296 08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	22 local function must_be_authorized(room_node)
4303 d261233f7ced Improve UX by providing defaults users expect Seve Ferrer <seve@delape.net> parents: 4301 diff changeset	23 -- If none of these is set, all rooms need authorization
4296 08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	24 if not enabled_for and not disabled_for then return true; end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	25
4301 bcb2b9adfcde mod_muc_http_auth: Use get_option_set API properly Seve Ferrer <seve@delape.net> parents: 4299 diff changeset	26 if enabled_for then return enabled_for:contains(room_node); end
bcb2b9adfcde mod_muc_http_auth: Use get_option_set API properly Seve Ferrer <seve@delape.net> parents: 4299 diff changeset	27 if disabled_for then return not disabled_for:contains(room_node); end
4296 08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	28 end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	29
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	30 local function handle_success(response)
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	31 local body = json.decode(response.body or "") or {}
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	32 response = {
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	33 err = body.error,
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	34 allowed = body.allowed,
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	35 code = response.code
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	36 }
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	37 return {response=response, err=response.err};
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	38 end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	39
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	40 local function handle_error(err)
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	41 return {err=err};
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	42 end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	43
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	44 local function handle_presence(event)
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	45 local stanza = event.stanza;
4304 aec8148df26a mod_muc_http_auth: Bugfix: Not properly listening on register IQs Seve Ferrer <seve@delape.net> parents: 4303 diff changeset	46 if stanza.name ~= "iq" and stanza.name ~= "presence" or stanza.attr.type == "unavailable" then return; end
4296 08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	47
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	48 local room, origin = event.room, event.origin;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	49 if (not room) or (not origin) then return; end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	50
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	51 if not must_be_authorized(jid_node(room.jid)) then return; end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	52
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	53 local user_bare_jid = jid_bare(stanza.attr.from);
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	54 local url = authorization_url .. "?userJID=" .. user_bare_jid .."&mucJID=" .. room.jid;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	55
4322 9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login Seve Ferrer <seve@delape.net> parents: 4319 diff changeset	56 local result = wait_for(http.request(url, options):next(handle_success, handle_error));
4296 08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	57 local response, err = result.response, result.err;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	58
4304 aec8148df26a mod_muc_http_auth: Bugfix: Not properly listening on register IQs Seve Ferrer <seve@delape.net> parents: 4303 diff changeset	59 local verb = verbs[stanza.name];
4296 08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	60 if not (response and response.allowed) then
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	61 -- User is not authorized to join this room
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	62 err = (response or {}).err or err
4304 aec8148df26a mod_muc_http_auth: Bugfix: Not properly listening on register IQs Seve Ferrer <seve@delape.net> parents: 4303 diff changeset	63 module:log("debug", user_bare_jid .. " is not authorized to " ..verb.. ": " .. room.jid .. " Error: " .. tostring(err));
4319 caaa40f072da mod_muc_http_auth: `no-authorized` error must be of type `auth` JC Brand <jc@opkode.com> parents: 4304 diff changeset	64 origin.send(st.error_reply(stanza, "auth", "not-authorized", nil, module.host));
4296 08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	65 return true;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	66 end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	67
4304 aec8148df26a mod_muc_http_auth: Bugfix: Not properly listening on register IQs Seve Ferrer <seve@delape.net> parents: 4303 diff changeset	68 module:log("debug", user_bare_jid .. " is authorized to " .. verb .. ": " .. room.jid);
4296 08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	69 return;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	70 end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	71
4299 8006da2cf44c For deployments that have https://hg.prosody.im/trunk/file/tip/plugins/muc/register.lib.lua#l7 and use https://modules.prosody.im/mod_muc_http_auth.html users can still register to a MUC even if they are not allowed to join. That means they would receive RAI or RMN, for instance. Seve Ferrer <seve@delape.net> parents: 4296 diff changeset	72 if authorize_registration then
8006da2cf44c For deployments that have https://hg.prosody.im/trunk/file/tip/plugins/muc/register.lib.lua#l7 and use https://modules.prosody.im/mod_muc_http_auth.html users can still register to a MUC even if they are not allowed to join. That means they would receive RAI or RMN, for instance. Seve Ferrer <seve@delape.net> parents: 4296 diff changeset	73 module:hook("muc-register-iq", handle_presence);
8006da2cf44c For deployments that have https://hg.prosody.im/trunk/file/tip/plugins/muc/register.lib.lua#l7 and use https://modules.prosody.im/mod_muc_http_auth.html users can still register to a MUC even if they are not allowed to join. That means they would receive RAI or RMN, for instance. Seve Ferrer <seve@delape.net> parents: 4296 diff changeset	74 end
4296 08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP Seve Ferrer <seve@delape.net> parents: diff changeset	75
4319 caaa40f072da mod_muc_http_auth: `no-authorized` error must be of type `auth` JC Brand <jc@opkode.com> parents: 4304 diff changeset	76 module:hook("muc-occupant-pre-join", handle_presence);

Mercurial > prosody-modules

annotate mod_muc_http_auth/mod_muc_http_auth.lua @ 4515:2e33eeafe962