annotate mod_turncredentials/mod_turncredentials.lua @ 5616:59d5fc50f602

mod_http_oauth2: Implement refresh token rotation Makes refresh tokens one-time-use, handing out a new refresh token with each access token. Thus if a refresh token is stolen and used by an attacker, the next time the legitimate client tries to use the previous refresh token, it will not work and the attack will be noticed. If the attacker does not use the refresh token, it becomes invalid after the legitimate client uses it. This behavior is recommended by draft-ietf-oauth-security-topics
author Kim Alvefur <zash@zash.se>
date Sun, 23 Jul 2023 02:56:08 +0200
parents bbfcd786cc78
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1059
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
1 -- XEP-0215 implementation for time-limited turn credentials
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
2 -- Copyright (C) 2012-2013 Philipp Hancke
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1326
diff changeset
3 -- This file is MIT/X11 licensed.
1059
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
4
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
5 local st = require "util.stanza";
1108
2da546139cb5 mod_turncredentials: Import HMAC from util.hashes
Kim Alvefur <zash@zash.se>
parents: 1059
diff changeset
6 local hmac_sha1 = require "util.hashes".hmac_sha1;
1059
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
7 local base64 = require "util.encodings".base64;
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
8 local os_time = os.time;
3642
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
9 local datetime = require "util.datetime".datetime;
1169
0ae2c250f274 mod_turncredentials: Use type-specific get_option() methods where appropriate, and pass in default values
Matthew Wild <mwild1@gmail.com>
parents: 1168
diff changeset
10 local secret = module:get_option_string("turncredentials_secret");
0ae2c250f274 mod_turncredentials: Use type-specific get_option() methods where appropriate, and pass in default values
Matthew Wild <mwild1@gmail.com>
parents: 1168
diff changeset
11 local host = module:get_option_string("turncredentials_host"); -- use ip addresses here to avoid further dns lookup latency
0ae2c250f274 mod_turncredentials: Use type-specific get_option() methods where appropriate, and pass in default values
Matthew Wild <mwild1@gmail.com>
parents: 1168
diff changeset
12 local port = module:get_option_number("turncredentials_port", 3478);
0ae2c250f274 mod_turncredentials: Use type-specific get_option() methods where appropriate, and pass in default values
Matthew Wild <mwild1@gmail.com>
parents: 1168
diff changeset
13 local ttl = module:get_option_number("turncredentials_ttl", 86400);
1059
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
14 if not (secret and host) then
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
15 module:log("error", "turncredentials not configured");
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
16 return;
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
17 end
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
18
1326
afae347928d8 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1325
diff changeset
19 module:add_feature("urn:xmpp:extdisco:1");
afae347928d8 mod_turncredentials: Advertise the XEP-0215 feature (thanks Gryffus)
Kim Alvefur <zash@zash.se>
parents: 1325
diff changeset
20
1170
6695c3098025 mod_turncredentials: Use iq-get event, to save checking attr.type manually
Matthew Wild <mwild1@gmail.com>
parents: 1169
diff changeset
21 module:hook("iq-get/host/urn:xmpp:extdisco:1:services", function(event)
1059
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
22 local origin, stanza = event.origin, event.stanza;
1171
a18effacd384 mod_turncredentials: No need to check tag name, we're already in the event handler for the 'services' tag
Matthew Wild <mwild1@gmail.com>
parents: 1170
diff changeset
23 if origin.type ~= "c2s" then
1059
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
24 return;
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
25 end
3773
915c7bd5f754 mod_turncredentials: Rename variable for clarity
Kim Alvefur <zash@zash.se>
parents: 3642
diff changeset
26 local expires_at = os_time() + ttl;
915c7bd5f754 mod_turncredentials: Rename variable for clarity
Kim Alvefur <zash@zash.se>
parents: 3642
diff changeset
27 local userpart = tostring(expires_at);
1059
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
28 local nonce = base64.encode(hmac_sha1(secret, tostring(userpart), false));
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
29 origin.send(st.reply(stanza):tag("services", {xmlns = "urn:xmpp:extdisco:1"})
3561
deb5ece56c49 mod_turncredentials: Convert numeric attributes to strings (fixes #1339)
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
30 :tag("service", { type = "stun", host = host, port = ("%d"):format(port) }):up()
deb5ece56c49 mod_turncredentials: Convert numeric attributes to strings (fixes #1339)
Kim Alvefur <zash@zash.se>
parents: 1343
diff changeset
31 :tag("service", { type = "turn", host = host, port = ("%d"):format(port), username = userpart, password = nonce, ttl = ("%d"):format(ttl) }):up()
1059
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
32 );
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
33 return true;
95ab35ef52ba mod_turncredentials: XEP-0215 implementation for time-limited turn credentials
Philipp Hancke <fippo@goodadvice.pages.de>
parents:
diff changeset
34 end);
3642
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
35
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
36 module:add_feature("urn:xmpp:extdisco:2");
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
37
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
38 module:hook("iq-get/host/urn:xmpp:extdisco:2:services", function(event)
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
39 local origin, stanza = event.origin, event.stanza;
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
40 if origin.type ~= "c2s" then
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
41 return;
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
42 end
3773
915c7bd5f754 mod_turncredentials: Rename variable for clarity
Kim Alvefur <zash@zash.se>
parents: 3642
diff changeset
43 local expires_at = os_time() + ttl;
915c7bd5f754 mod_turncredentials: Rename variable for clarity
Kim Alvefur <zash@zash.se>
parents: 3642
diff changeset
44 local userpart = tostring(expires_at);
3642
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
45 local nonce = base64.encode(hmac_sha1(secret, tostring(userpart), false));
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
46 origin.send(st.reply(stanza):tag("services", {xmlns = "urn:xmpp:extdisco:2"})
3977
bbfcd786cc78 mod_turncredentials: Add 'transport' attribute
Wiktor Kwapisiewicz <wiktor@metacode.biz>
parents: 3774
diff changeset
47 :tag("service", { type = "stun", transport = "udp", host = host, port = ("%d"):format(port) }):up()
bbfcd786cc78 mod_turncredentials: Add 'transport' attribute
Wiktor Kwapisiewicz <wiktor@metacode.biz>
parents: 3774
diff changeset
48 :tag("service", { type = "stun", transport = "tcp", host = host, port = ("%d"):format(port) }):up()
bbfcd786cc78 mod_turncredentials: Add 'transport' attribute
Wiktor Kwapisiewicz <wiktor@metacode.biz>
parents: 3774
diff changeset
49 :tag("service", { type = "turn", transport = "udp", host = host, port = ("%d"):format(port), username = userpart, password = nonce, expires = datetime(expires_at), restricted = "1" }):up()
bbfcd786cc78 mod_turncredentials: Add 'transport' attribute
Wiktor Kwapisiewicz <wiktor@metacode.biz>
parents: 3774
diff changeset
50 :tag("service", { type = "turn", transport = "tcp", host = host, port = ("%d"):format(port), username = userpart, password = nonce, expires = datetime(expires_at), restricted = "1" }):up()
3642
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
51 );
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
52 return true;
2bbf655431be mod_turncredentials: Add parallel implementation of XEP-0215 v0.7
Kim Alvefur <zash@zash.se>
parents: 3561
diff changeset
53 end);