Mercurial > prosody-modules
annotate mod_readonly/mod_readonly.lua @ 5616:59d5fc50f602
mod_http_oauth2: Implement refresh token rotation
Makes refresh tokens one-time-use, handing out a new refresh token with
each access token. Thus if a refresh token is stolen and used by an
attacker, the next time the legitimate client tries to use the previous
refresh token, it will not work and the attack will be noticed. If the
attacker does not use the refresh token, it becomes invalid after the
legitimate client uses it.
This behavior is recommended by draft-ietf-oauth-security-topics
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 23 Jul 2023 02:56:08 +0200 |
| parents | 7776c9dc5f37 |
| children |
| rev | line source |
|---|---|
|
750
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 local st = require "util.stanza"; |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 local stores = module:get_option("readonly_stores", { |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 vcard = { "vcard-temp", "vCard" }; |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 }); |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 local namespaces = {}; |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 for name, namespace in pairs(stores) do |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 namespaces[table.concat(namespace, ":")] = name; |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 end |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
|
3270
7776c9dc5f37
mod_readonly: Simplify iq handling by hooking on iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
750
diff
changeset
|
12 local function prevent_write(event) |
|
750
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 local stanza = event.stanza; |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 local xmlns_and_tag = stanza.tags[1].attr.xmlns..":"..stanza.tags[1].name; |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 local store_name = namespaces[xmlns_and_tag]; |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 if store_name then |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 module:log("warn", "Preventing modification of %s store by %s", store_name, stanza.attr.from); |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 event.origin.send(st.error_reply(stanza, "cancel", "not-allowed", store_name.." data is read-only")); |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 return true; -- Block stanza |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 end |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 end |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 |
|
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 for namespace in pairs(namespaces) do |
|
3270
7776c9dc5f37
mod_readonly: Simplify iq handling by hooking on iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
750
diff
changeset
|
24 module:hook("iq-set/bare/"..namespace, prevent_write, 200); |
|
750
8133dd5f266a
mod_readonly: Allow preventing direct modification of certain user data via XMPP
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 end |