Mercurial > prosody-modules
annotate mod_pubsub_post/README.markdown @ 3503:882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
This deprecates the default "superuser" actor model and makes the
default equivalent to the previous "request.id".
A single actor and secret per node is supported because HTTP and
WebHooks don't normally include any authorization identity.
Allowing authentication bypass when no secret is given should be
relatively safe when the actor is unprivileged, as will be unless
explicitly configured otherwise.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 30 Mar 2019 21:16:13 +0100 |
parents | 42e9e3c5eb02 |
children | 106b4ae4469b |
rev | line source |
---|---|
3100 | 1 # Introduction |
2 | |
3 Lets you easily publish data to PubSub using a HTTP POST request. The | |
4 payload can be Atom feeds, arbitrary XML, or arbitrary JSON. The type | |
5 should be indicated via the `Content-Type` header. | |
6 | |
7 ``` {.bash} | |
8 curl http://localhost:5280/pubsub_post/princely_musings \ | |
9 -H "Content-Type: application/json" \ | |
10 --data-binary '{"musing":"To be, or not to be: that is the question"}' | |
11 ``` | |
12 | |
3153
e0de1fdbc80a
mod_pubsub_post/README: Describe what happens to different data types
Kim Alvefur <zash@zash.se>
parents:
3152
diff
changeset
|
13 - JSON data is wrapped in a [XEP-0335] container. |
e0de1fdbc80a
mod_pubsub_post/README: Describe what happens to different data types
Kim Alvefur <zash@zash.se>
parents:
3152
diff
changeset
|
14 - An Atom feed may have many `<entry>` and each one is published as |
e0de1fdbc80a
mod_pubsub_post/README: Describe what happens to different data types
Kim Alvefur <zash@zash.se>
parents:
3152
diff
changeset
|
15 its own PubSub item. |
e0de1fdbc80a
mod_pubsub_post/README: Describe what happens to different data types
Kim Alvefur <zash@zash.se>
parents:
3152
diff
changeset
|
16 - Other XML is simply published to a randomly named item as-is. |
e0de1fdbc80a
mod_pubsub_post/README: Describe what happens to different data types
Kim Alvefur <zash@zash.se>
parents:
3152
diff
changeset
|
17 |
3100 | 18 # Configuration |
19 | |
3503
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
20 All settings are optional. |
3100 | 21 |
3503
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
22 ## Actor identification |
3100 | 23 |
3503
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
24 First we have to figure out who is making the request. |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
25 This is configured on a per-node basis like this: |
3501
1df139b157fb
mod_pubsub_post: Add support for WebSub authentication
Kim Alvefur <zash@zash.se>
parents:
3256
diff
changeset
|
26 |
1df139b157fb
mod_pubsub_post: Add support for WebSub authentication
Kim Alvefur <zash@zash.se>
parents:
3256
diff
changeset
|
27 ``` {.lua} |
1df139b157fb
mod_pubsub_post: Add support for WebSub authentication
Kim Alvefur <zash@zash.se>
parents:
3256
diff
changeset
|
28 -- Per node secrets |
3503
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
29 pubsub_post_actors = { |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
30 princely_musings = "hamlet@denmark.lit" |
3501
1df139b157fb
mod_pubsub_post: Add support for WebSub authentication
Kim Alvefur <zash@zash.se>
parents:
3256
diff
changeset
|
31 } |
3503
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
32 pubsub_post_default_actor = "nobody@nowhere.invalid" |
3501
1df139b157fb
mod_pubsub_post: Add support for WebSub authentication
Kim Alvefur <zash@zash.se>
parents:
3256
diff
changeset
|
33 ``` |
1df139b157fb
mod_pubsub_post: Add support for WebSub authentication
Kim Alvefur <zash@zash.se>
parents:
3256
diff
changeset
|
34 |
3503
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
35 `pubsub_post_default_actor` is used when trying to publish to a node |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
36 that is not listed in `pubsub_post_actors`. Otherwise the IP address |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
37 of the connection is used. |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
38 |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
39 ## Authentication |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
40 |
3501
1df139b157fb
mod_pubsub_post: Add support for WebSub authentication
Kim Alvefur <zash@zash.se>
parents:
3256
diff
changeset
|
41 [WebSub](https://www.w3.org/TR/2018/REC-websub-20180123/) [Authenticated |
1df139b157fb
mod_pubsub_post: Add support for WebSub authentication
Kim Alvefur <zash@zash.se>
parents:
3256
diff
changeset
|
42 Content |
1df139b157fb
mod_pubsub_post: Add support for WebSub authentication
Kim Alvefur <zash@zash.se>
parents:
3256
diff
changeset
|
43 Distribution](https://www.w3.org/TR/2018/REC-websub-20180123/#authenticated-content-distribution) |
3503
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
44 authentication is used. |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
45 |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
46 ``` {.lua} |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
47 pubsub_post_secrets = { |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
48 princely_musings = "shared secret" |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
49 } |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
50 pubsub_post_default_secret = "default secret" |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
51 ``` |
3501
1df139b157fb
mod_pubsub_post: Add support for WebSub authentication
Kim Alvefur <zash@zash.se>
parents:
3256
diff
changeset
|
52 |
3503
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
53 `pubsub_post_default_secret` is used when trying to publish to a node |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
54 that is not listed in `pubsub_post_secrets`. Otherwise the request |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
55 proceeds with the previously identified actor. |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
56 |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
57 ::: {.alert .alert-danger} |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
58 If configured without a secret and a default actor that has permission |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
59 to create nodes the service becomes wide open. |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
60 ::: |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
61 |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
62 ## Authorization |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
63 |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
64 Authorization is handled via pubsub affiliations. Publishing requires an |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
65 affiliation with the _publish_ capability, usually `"publisher"`. |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
66 |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
67 ### Setting up affiliations |
3256
0992c0398783
mod_pubsub_post/README: Add a heading for affiliation related text
Kim Alvefur <zash@zash.se>
parents:
3153
diff
changeset
|
68 |
3152
882f7d5c3ce8
mod_pubsub_post/README: Affiliation management in trunk now
Kim Alvefur <zash@zash.se>
parents:
3151
diff
changeset
|
69 Prosodys PubSub module supports [setting affiliations via |
882f7d5c3ce8
mod_pubsub_post/README: Affiliation management in trunk now
Kim Alvefur <zash@zash.se>
parents:
3151
diff
changeset
|
70 XMPP](https://xmpp.org/extensions/xep-0060.html#owner-affiliations), in |
882f7d5c3ce8
mod_pubsub_post/README: Affiliation management in trunk now
Kim Alvefur <zash@zash.se>
parents:
3151
diff
changeset
|
71 trunk since [revision |
3503
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
72 384ef9732b81](https://hg.prosody.im/trunk/rev/384ef9732b81), so |
882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
Kim Alvefur <zash@zash.se>
parents:
3502
diff
changeset
|
73 affiliations can be configured with a capable client. |
3100 | 74 |
75 It can however be done from another plugin: | |
76 | |
77 ``` {.lua} | |
78 local mod_pubsub = module:depends("pubsub"); | |
79 local pubsub = mod_pubsub.service; | |
80 | |
81 pubsub:create("princely_musings", true); | |
82 pubsub:set_affiliation("princely_musings", true, "127.0.0.1", "publisher"); | |
83 ``` |