Mercurial > prosody-modules
annotate mod_adhoc_oauth2_client/mod_adhoc_oauth2_client.lua @ 5259:8fba651b10ef
mod_http_oauth2: Refactor to allow reuse of OAuth client creation
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 19 Mar 2023 22:13:27 +0100 |
parents | 871d140d61bb |
children | a9c1cc91d3d6 |
rev | line source |
---|---|
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 local adhoc = require "util.adhoc"; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 local dataforms = require "util.dataforms"; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 local errors = require "util.error"; |
4263
d3af5f94d6df
mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents:
4262
diff
changeset
|
4 local hashes = require "util.hashes"; |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local id = require "util.id"; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local jid = require "util.jid"; |
4263
d3af5f94d6df
mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents:
4262
diff
changeset
|
7 local base64 = require"util.encodings".base64; |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 local clients = module:open_store("oauth2_clients", "map"); |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
4263
d3af5f94d6df
mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents:
4262
diff
changeset
|
11 local iteration_count = module:get_option_number("oauth2_client_iteration_count", 10000); |
d3af5f94d6df
mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents:
4262
diff
changeset
|
12 local pepper = module:get_option_string("oauth2_client_pepper", ""); |
d3af5f94d6df
mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents:
4262
diff
changeset
|
13 |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 local new_client = dataforms.new({ |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 title = "Create OAuth2 client"; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 {var = "FORM_TYPE"; type = "hidden"; value = "urn:uuid:ff0d55ed-2187-4ee0-820a-ab633a911c14#create"}; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 {name = "name"; type = "text-single"; label = "Client name"; required = true}; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 {name = "description"; type = "text-multi"; label = "Description"}; |
4267
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
19 {name = "info_url"; type = "text-single"; label = "Informative URL"; desc = "Link to information about your client"; datatype = "xs:anyURI"}; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
20 { |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
21 name = "redirect_uri"; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
22 type = "text-single"; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
23 label = "Redirection URI"; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
24 desc = "Where to redirect the user after authorizing."; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
25 datatype = "xs:anyURI"; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
26 required = true; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
27 }; |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 }) |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 local client_created = dataforms.new({ |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 title = "New OAuth2 client created"; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 instructions = "Save these details, they will not be shown again"; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 {var = "FORM_TYPE"; type = "hidden"; value = "urn:uuid:ff0d55ed-2187-4ee0-820a-ab633a911c14#created"}; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 {name = "client_id"; type = "text-single"; label = "Client ID"}; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 {name = "client_secret"; type = "text-single"; label = "Client secret"}; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 }) |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 local function create_client(client, formerr, data) |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 if formerr then |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 local errmsg = {"Error in form:"}; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 for field, err in pairs(formerr) do table.insert(errmsg, field .. ": " .. err); end |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 return {status = "error"; error = {message = table.concat(errmsg, "\n")}}; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 end |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 local creator = jid.split(data.from); |
4268
871d140d61bb
mod_adhoc_oauth2_client: Fix including final client_id in result form
Kim Alvefur <zash@zash.se>
parents:
4267
diff
changeset
|
46 local client_uid = id.short(); |
871d140d61bb
mod_adhoc_oauth2_client: Fix including final client_id in result form
Kim Alvefur <zash@zash.se>
parents:
4267
diff
changeset
|
47 local client_id = jid.join(creator, module.host, client_uid); |
4263
d3af5f94d6df
mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents:
4262
diff
changeset
|
48 local client_secret = id.long(); |
d3af5f94d6df
mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents:
4262
diff
changeset
|
49 local salt = id.medium(); |
d3af5f94d6df
mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents:
4262
diff
changeset
|
50 local i = iteration_count; |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 |
4263
d3af5f94d6df
mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents:
4262
diff
changeset
|
52 client.secret_hash = base64.encode(hashes.pbkdf2_hmac_sha256(client_secret, salt .. pepper, i)); |
d3af5f94d6df
mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents:
4262
diff
changeset
|
53 client.iteration_count = i; |
d3af5f94d6df
mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents:
4262
diff
changeset
|
54 client.salt = salt; |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 |
4268
871d140d61bb
mod_adhoc_oauth2_client: Fix including final client_id in result form
Kim Alvefur <zash@zash.se>
parents:
4267
diff
changeset
|
56 local ok, err = errors.coerce(clients:set(creator, client_uid, client)); |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 module:log("info", "OAuth2 client %q created by %s", client_id, data.from); |
4266
b43c6d614d22
mod_adhoc_oauth2_client: Fix adhoc status on error
Kim Alvefur <zash@zash.se>
parents:
4263
diff
changeset
|
58 if not ok then return {status = "canceled"; error = {message = err}}; end |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 |
4268
871d140d61bb
mod_adhoc_oauth2_client: Fix including final client_id in result form
Kim Alvefur <zash@zash.se>
parents:
4267
diff
changeset
|
60 return {status = "completed"; result = {layout = client_created; values = {client_id = client_id; client_secret = client_secret}}}; |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 end |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 local handler = adhoc.new_simple_form(new_client, create_client); |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 module:provides("adhoc", module:require "adhoc".new(new_client.title, new_client[1].value, handler, "local_user")); |
4262
6d7fb22c0440
mod_adhoc_oauth2_client: Note TODO
Kim Alvefur <zash@zash.se>
parents:
4261
diff
changeset
|
66 |
6d7fb22c0440
mod_adhoc_oauth2_client: Note TODO
Kim Alvefur <zash@zash.se>
parents:
4261
diff
changeset
|
67 -- TODO list/manage/revoke clients |