Mercurial > prosody-modules
annotate mod_adhoc_oauth2_client/mod_adhoc_oauth2_client.lua @ 5401:c8d04ac200fc
mod_http_oauth2: Reject loopback URIs as client_uri
This really should be a proper website with info, https://localhost is
not good enough. Ideally we'd validate that it's got proper DNS and is
actually reachable, but triggering HTTP or even DNS lookups seems like
it would carry abuse potential that would best to avoid.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 02 May 2023 16:20:55 +0200 |
parents | a9c1cc91d3d6 |
children |
rev | line source |
---|---|
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 local adhoc = require "util.adhoc"; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 local dataforms = require "util.dataforms"; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
5260
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
4 local mod_http_oauth2 = module:depends"http_oauth2"; |
4263
d3af5f94d6df
mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents:
4262
diff
changeset
|
5 |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local new_client = dataforms.new({ |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 title = "Create OAuth2 client"; |
5260
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
8 { var = "FORM_TYPE"; type = "hidden"; value = "urn:uuid:ff0d55ed-2187-4ee0-820a-ab633a911c14#create" }; |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
9 { name = "client_name"; type = "text-single"; label = "Client name"; required = true }; |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
10 { |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
11 name = "client_uri"; |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
12 type = "text-single"; |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
13 label = "Informative URL"; |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
14 desc = "Link to information about your client. MUST be https URI."; |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
15 datatype = "xs:anyURI"; |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
16 required = true; |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
17 }; |
4267
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
18 { |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
19 name = "redirect_uri"; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
20 type = "text-single"; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
21 label = "Redirection URI"; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
22 desc = "Where to redirect the user after authorizing."; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
23 datatype = "xs:anyURI"; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
24 required = true; |
43284437c5ed
mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents:
4266
diff
changeset
|
25 }; |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 }) |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 local client_created = dataforms.new({ |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 title = "New OAuth2 client created"; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 instructions = "Save these details, they will not be shown again"; |
5260
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
31 { var = "FORM_TYPE"; type = "hidden"; value = "urn:uuid:ff0d55ed-2187-4ee0-820a-ab633a911c14#created" }; |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
32 { name = "client_id"; type = "text-single"; label = "Client ID" }; |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
33 { name = "client_secret"; type = "text-single"; label = "Client secret" }; |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 }) |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 local function create_client(client, formerr, data) |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 if formerr then |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 local errmsg = {"Error in form:"}; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 for field, err in pairs(formerr) do table.insert(errmsg, field .. ": " .. err); end |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 return {status = "error"; error = {message = table.concat(errmsg, "\n")}}; |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 end |
5260
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
42 client.redirect_uris = { client.redirect_uri }; |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
43 client.redirect_uri = nil; |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 |
5260
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
45 local client_metadata, err = mod_http_oauth2.create_client(client); |
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
46 if err then return { status = "error"; error = err }; end |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
5260
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
48 module:log("info", "OAuth2 client %q %q created by %s", client.name, client.info_uri, data.from); |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 |
5260
a9c1cc91d3d6
mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents:
4268
diff
changeset
|
50 return { status = "completed"; result = { layout = client_created; values = client_metadata } }; |
4261
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 end |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 local handler = adhoc.new_simple_form(new_client, create_client); |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 |
608be9a66876
mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 module:provides("adhoc", module:require "adhoc".new(new_client.title, new_client[1].value, handler, "local_user")); |
4262
6d7fb22c0440
mod_adhoc_oauth2_client: Note TODO
Kim Alvefur <zash@zash.se>
parents:
4261
diff
changeset
|
56 |
6d7fb22c0440
mod_adhoc_oauth2_client: Note TODO
Kim Alvefur <zash@zash.se>
parents:
4261
diff
changeset
|
57 -- TODO list/manage/revoke clients |