prosody-modules: mod_flash_policy/mod_flash

annotate mod_flash_policy/mod_flash_policy.lua @ 5448:9d542e86e19a

mod_http_oauth2: Allow requesting a subset of scopes on token refresh This enables clients to request access tokens with fewer permissions than the grant they were given, reducing impact of token leak. Clients could e.g. request access tokens with some privileges and immediately revoke them after use, or other strategies.

author	Kim Alvefur <zash@zash.se>
date	Thu, 11 May 2023 21:40:09 +0200
parents	7dbde05b48a9
children

rev	line source
394 4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	1 local filters = require "util.filters";
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	2 local config = {}
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	3 config.file = module:get_option_string("crossdomain_file", "");
395 77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	4 config.string = module:get_option_string("crossdomain_string", [[<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"/><allow-access-from domain="*" /></cross-domain-policy>]]);
394 4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	5 local string = ''
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	6 if not config.file ~= '' then
395 77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	7 local f = assert(io.open(config.file));
77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	8 string = f:read("*all");
394 4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	9 else
395 77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	10 string = config.string
394 4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	11 end
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	12
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	13 module:log("debug", "crossdomain string: "..string);
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	14
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	15 module:set_global();
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	16
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	17 function filter_policy(data, session)
395 77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	18 -- Since we only want to check the first block of data, remove the filter
77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	19 filters.remove_filter(session, "bytes/in", filter_policy);
77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	20 if data == "<policy-file-request/>\0" then
77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	21 session.send(string.."\0");
77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	22 return nil; -- Drop data to prevent it reaching the XMPP parser
77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	23 else
77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	24 return data; -- Pass data through, it wasn't a policy request
77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	25 end
1343 7dbde05b48a9 all the things: Remove trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 395 diff changeset	26
394 4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	27 end
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	28
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	29 function filter_session(session)
395 77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	30 if session.type == "c2s_unauthed" then
77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	31 filters.add_filter(session, "bytes/in", filter_policy, -1);
77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	32 end
394 4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	33 end
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	34
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	35 function module.load()
395 77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	36 filters.add_filter_hook(filter_session);
394 4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	37 end
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	38
4219f69be1cf Let session.send() actually send the config string leonbogaert@gmail.com parents: 379 diff changeset	39 function module.unload()
395 77ca0947647b Copied from bash :s leonbogaert@gmail.com parents: 394 diff changeset	40 filters.remove_filter_hook(filter_session);
379 eebc19c224fb Moved the file to a directory leonbogaert parents: diff changeset	41 end

Mercurial > prosody-modules

annotate mod_flash_policy/mod_flash_policy.lua @ 5448:9d542e86e19a