Mercurial > prosody-modules
annotate mod_auth_custom_http/mod_auth_custom_http.lua @ 5682:527c747711f3
mod_http_oauth2: Limit revocation to clients own tokens in strict mode
RFC 7009 section 2.1 states:
> The authorization server first validates the client credentials (in
> case of a confidential client) and then verifies whether the token was
> issued to the client making the revocation request. If this
> validation fails, the request is refused and the client is informed of
> the error by the authorization server as described below.
The first part was already covered (in strict mode). This adds the later
part using the hash of client_id recorded in 0860497152af
It still seems weird to me that revoking a leaked token should not be
allowed whoever might have discovered it, as that seems the responsible
thing to do.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 29 Oct 2023 11:30:49 +0100 |
| parents | 32d7f05e062f |
| children |
| rev | line source |
|---|---|
|
1043
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
1 -- Prosody IM |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
2 -- Copyright (C) 2008-2010 Waqas Hussain |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
3 -- |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
4 -- This project is MIT/X11 licensed. Please see the |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
5 -- COPYING file in the source package for more information. |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
6 -- |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
7 |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
8 local new_sasl = require "util.sasl".new; |
|
2867
94d8960385aa
mod_auth_custom_http: Fix json.encode impoper reference
Senya <senya@kinetiksoft.com>
parents:
1343
diff
changeset
|
9 local json = require "util.json"; |
|
3989
32d7f05e062f
mod_auth_custom_http: Unlock globals while loading socket.http
Matthew Wild <mwild1@gmail.com>
parents:
2867
diff
changeset
|
10 prosody.unlock_globals(); |
|
1046
b9d47487d550
mod_auth_custom_http: Organize imports, and make the URL a config option.
Waqas Hussain <waqas20@gmail.com>
parents:
1045
diff
changeset
|
11 local http = require "socket.http"; |
|
3989
32d7f05e062f
mod_auth_custom_http: Unlock globals while loading socket.http
Matthew Wild <mwild1@gmail.com>
parents:
2867
diff
changeset
|
12 prosody.lock_globals(); |
|
1046
b9d47487d550
mod_auth_custom_http: Organize imports, and make the URL a config option.
Waqas Hussain <waqas20@gmail.com>
parents:
1045
diff
changeset
|
13 |
|
b9d47487d550
mod_auth_custom_http: Organize imports, and make the URL a config option.
Waqas Hussain <waqas20@gmail.com>
parents:
1045
diff
changeset
|
14 local options = module:get_option("auth_custom_http"); |
|
b9d47487d550
mod_auth_custom_http: Organize imports, and make the URL a config option.
Waqas Hussain <waqas20@gmail.com>
parents:
1045
diff
changeset
|
15 local post_url = options and options.post_url; |
|
b9d47487d550
mod_auth_custom_http: Organize imports, and make the URL a config option.
Waqas Hussain <waqas20@gmail.com>
parents:
1045
diff
changeset
|
16 assert(post_url, "No HTTP POST URL provided"); |
|
1043
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
17 |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
18 local provider = {}; |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
19 |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
20 function provider.test_password(username, password) |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
21 return nil, "Not supported" |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
22 end |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
23 |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
24 function provider.get_password(username) |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
25 return nil, "Not supported" |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
26 end |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
27 |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
28 function provider.set_password(username, password) |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
29 return nil, "Not supported" |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
30 end |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
31 |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
32 function provider.user_exists(username) |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
33 return true; |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
34 end |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
35 |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
36 function provider.create_user(username, password) |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
37 return nil, "Not supported" |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
38 end |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
39 |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
40 function provider.delete_user(username) |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
41 return nil, "Not supported" |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
42 end |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
43 |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
44 function provider.get_sasl_handler() |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
45 local getpass_authentication_profile = { |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
46 plain_test = function(sasl, username, password, realm) |
|
2867
94d8960385aa
mod_auth_custom_http: Fix json.encode impoper reference
Senya <senya@kinetiksoft.com>
parents:
1343
diff
changeset
|
47 local postdata = json.encode({ username = username, password = password }); |
|
1046
b9d47487d550
mod_auth_custom_http: Organize imports, and make the URL a config option.
Waqas Hussain <waqas20@gmail.com>
parents:
1045
diff
changeset
|
48 local result = http.request(post_url, postdata); |
|
1043
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
49 return result == "true", true; |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
50 end, |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
51 }; |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
52 return new_sasl(module.host, getpass_authentication_profile); |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
53 end |
|
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1046
diff
changeset
|
54 |
|
1043
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
55 |
|
809f7d46ad5c
mod_auth_custom_http: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff
changeset
|
56 module:provides("auth", provider); |