Mercurial > prosody-modules
annotate mod_s2soutinjection/mod_s2soutinjection.lua @ 5616:59d5fc50f602
mod_http_oauth2: Implement refresh token rotation
Makes refresh tokens one-time-use, handing out a new refresh token with
each access token. Thus if a refresh token is stolen and used by an
attacker, the next time the legitimate client tries to use the previous
refresh token, it will not work and the attack will be noticed. If the
attacker does not use the refresh token, it becomes invalid after the
legitimate client uses it.
This behavior is recommended by draft-ietf-oauth-security-topics
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 23 Jul 2023 02:56:08 +0200 |
parents | 4fb922aa0ace |
children |
rev | line source |
---|---|
1089
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 local st = require"util.stanza"; |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 local new_outgoing = require"core.s2smanager".new_outgoing; |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 local bounce_sendq = module:depends"s2s".route_to_new_session.bounce_sendq; |
4932
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
4 local initialize_filters = require "util.filters".initialize; |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
5 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
6 local portmanager = require "core.portmanager"; |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
7 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
8 local addclient = require "net.server".addclient; |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
9 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
10 module:depends("s2s"); |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
11 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
12 local sessions = module:shared("sessions"); |
1089
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 local injected = module:get_option("s2s_connect_overrides"); |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
4932
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
16 -- The proxy_listener handles connection while still connecting to the proxy, |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
17 -- then it hands them over to the normal listener (in mod_s2s) |
5101
801ca82b6538
mod_s2soutinjection: Remove undefined global (thanks Damian)
Kim Alvefur <zash@zash.se>
parents:
5100
diff
changeset
|
18 local proxy_listener = { default_port = nil, default_mode = "*a", default_interface = "*" }; |
4932
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
19 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
20 function proxy_listener.onconnect(conn) |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
21 local session = sessions[conn]; |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
22 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
23 -- Now the real s2s listener can take over the connection. |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
24 local listener = portmanager.get_service("s2s").listener; |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
25 |
5100
e55d1f7a570a
mod_s2soutinjection: Remove unused variables [luacheck]
Kim Alvefur <zash@zash.se>
parents:
4932
diff
changeset
|
26 local log = session.log; |
4932
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
27 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
28 local filter = initialize_filters(session); |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
29 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
30 session.version = 1; |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
31 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
32 session.sends2s = function (t) |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
33 log("debug", "sending (s2s over proxy): %s", (t.top_tag and t:top_tag()) or t:match("^[^>]*>?")); |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
34 if t.name then |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
35 t = filter("stanzas/out", t); |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
36 end |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
37 if t then |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
38 t = filter("bytes/out", tostring(t)); |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
39 if t then |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
40 return conn:write(tostring(t)); |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
41 end |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
42 end |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
43 end |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
44 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
45 session.open_stream = function () |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
46 session.sends2s(st.stanza("stream:stream", { |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
47 xmlns='jabber:server', ["xmlns:db"]='jabber:server:dialback', |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
48 ["xmlns:stream"]='http://etherx.jabber.org/streams', |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
49 from=session.from_host, to=session.to_host, version='1.0', ["xml:lang"]='en'}):top_tag()); |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
50 end |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
51 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
52 conn.setlistener(conn, listener); |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
53 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
54 listener.register_outgoing(conn, session); |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
55 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
56 listener.onconnect(conn); |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
57 end |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
58 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
59 function proxy_listener.register_outgoing(conn, session) |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
60 session.direction = "outgoing"; |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
61 sessions[conn] = session; |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
62 end |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
63 |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
64 function proxy_listener.ondisconnect(conn, err) |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
65 sessions[conn] = nil; |
1089
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 end |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 module:hook("route/remote", function(event) |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 local from_host, to_host, stanza = event.from_host, event.to_host, event.stanza; |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 local inject = injected and injected[to_host]; |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 if not inject then return end |
5102
9eed88ac8ee8
mod_s2soutinjection: Use module logging API
Kim Alvefur <zash@zash.se>
parents:
5101
diff
changeset
|
72 module:log("debug", "opening a new outgoing connection for this stanza"); |
1089
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 local host_session = new_outgoing(from_host, to_host); |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
74 |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
75 -- Store in buffer |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
76 host_session.bounce_sendq = bounce_sendq; |
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
77 host_session.sendq = { {tostring(stanza), stanza.attr.type ~= "error" and stanza.attr.type ~= "result" and st.reply(stanza)} }; |
5103
4fb922aa0ace
mod_s2soutinjection: Use session logger where it makes sense
Kim Alvefur <zash@zash.se>
parents:
5102
diff
changeset
|
78 host_session.log("debug", "stanza [%s] queued until connection complete", tostring(stanza.name)); |
1089
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
79 |
4932
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
80 local host, port = inject[1] or inject, tonumber(inject[2]) or 5269; |
1089
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
81 |
4932
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
82 local conn = addclient(host, port, proxy_listener, "*a"); |
1089
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
83 |
4932
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
84 proxy_listener.register_outgoing(conn, host_session); |
1089
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
85 |
4932
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
86 host_session.conn = conn; |
f4a9e804c457
mod_s2soutinjection: Rewrite based on mod_onions for 0.12 compat (thanks Zash)
moparisthebest <admin@moparisthebest.com>
parents:
4557
diff
changeset
|
87 return true; |
1089
4057f176be7b
mod_s2soutinjection: Initial commit, variant of mod_srvinjection using 0.9+ APIs
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
88 end, -2); |