annotate mod_adhoc_oauth2_client/mod_adhoc_oauth2_client.lua @ 5401:c8d04ac200fc

mod_http_oauth2: Reject loopback URIs as client_uri This really should be a proper website with info, https://localhost is not good enough. Ideally we'd validate that it's got proper DNS and is actually reachable, but triggering HTTP or even DNS lookups seems like it would carry abuse potential that would best to avoid.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:20:55 +0200
parents a9c1cc91d3d6
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 local adhoc = require "util.adhoc";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local dataforms = require "util.dataforms";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
5260
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
4 local mod_http_oauth2 = module:depends"http_oauth2";
4263
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
5
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local new_client = dataforms.new({
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 title = "Create OAuth2 client";
5260
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
8 { var = "FORM_TYPE"; type = "hidden"; value = "urn:uuid:ff0d55ed-2187-4ee0-820a-ab633a911c14#create" };
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
9 { name = "client_name"; type = "text-single"; label = "Client name"; required = true };
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
10 {
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
11 name = "client_uri";
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
12 type = "text-single";
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
13 label = "Informative URL";
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
14 desc = "Link to information about your client. MUST be https URI.";
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
15 datatype = "xs:anyURI";
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
16 required = true;
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
17 };
4267
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
18 {
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
19 name = "redirect_uri";
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
20 type = "text-single";
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
21 label = "Redirection URI";
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
22 desc = "Where to redirect the user after authorizing.";
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
23 datatype = "xs:anyURI";
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
24 required = true;
43284437c5ed mod_adhoc_oauth2_client: Advertise URI fields with XEP-0122
Kim Alvefur <zash@zash.se>
parents: 4266
diff changeset
25 };
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 })
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 local client_created = dataforms.new({
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 title = "New OAuth2 client created";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 instructions = "Save these details, they will not be shown again";
5260
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
31 { var = "FORM_TYPE"; type = "hidden"; value = "urn:uuid:ff0d55ed-2187-4ee0-820a-ab633a911c14#created" };
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
32 { name = "client_id"; type = "text-single"; label = "Client ID" };
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
33 { name = "client_secret"; type = "text-single"; label = "Client secret" };
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 })
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 local function create_client(client, formerr, data)
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 if formerr then
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 local errmsg = {"Error in form:"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 for field, err in pairs(formerr) do table.insert(errmsg, field .. ": " .. err); end
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 return {status = "error"; error = {message = table.concat(errmsg, "\n")}};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 end
5260
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
42 client.redirect_uris = { client.redirect_uri };
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
43 client.redirect_uri = nil;
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44
5260
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
45 local client_metadata, err = mod_http_oauth2.create_client(client);
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
46 if err then return { status = "error"; error = err }; end
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47
5260
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
48 module:log("info", "OAuth2 client %q %q created by %s", client.name, client.info_uri, data.from);
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49
5260
a9c1cc91d3d6 mod_adhoc_oauth2_client: Update to call into mod_http_oauth2
Kim Alvefur <zash@zash.se>
parents: 4268
diff changeset
50 return { status = "completed"; result = { layout = client_created; values = client_metadata } };
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51 end
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 local handler = adhoc.new_simple_form(new_client, create_client);
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 module:provides("adhoc", module:require "adhoc".new(new_client.title, new_client[1].value, handler, "local_user"));
4262
6d7fb22c0440 mod_adhoc_oauth2_client: Note TODO
Kim Alvefur <zash@zash.se>
parents: 4261
diff changeset
56
6d7fb22c0440 mod_adhoc_oauth2_client: Note TODO
Kim Alvefur <zash@zash.se>
parents: 4261
diff changeset
57 -- TODO list/manage/revoke clients