annotate mod_adhoc_oauth2_client/mod_adhoc_oauth2_client.lua @ 4263:d3af5f94d6df

mod_http_oauth2: Improve storage of client secret Note well: This is still a thing for developers, do not panic!
author Kim Alvefur <zash@zash.se>
date Sun, 22 Nov 2020 01:32:09 +0100
parents 6d7fb22c0440
children b43c6d614d22
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 local adhoc = require "util.adhoc";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local dataforms = require "util.dataforms";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local errors = require "util.error";
4263
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
4 local hashes = require "util.hashes";
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local id = require "util.id";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local jid = require "util.jid";
4263
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
7 local base64 = require"util.encodings".base64;
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 local clients = module:open_store("oauth2_clients", "map");
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10
4263
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
11 local iteration_count = module:get_option_number("oauth2_client_iteration_count", 10000);
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
12 local pepper = module:get_option_string("oauth2_client_pepper", "");
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
13
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local new_client = dataforms.new({
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 title = "Create OAuth2 client";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 {var = "FORM_TYPE"; type = "hidden"; value = "urn:uuid:ff0d55ed-2187-4ee0-820a-ab633a911c14#create"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 {name = "name"; type = "text-single"; label = "Client name"; required = true};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 {name = "description"; type = "text-multi"; label = "Description"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 {name = "info_url"; type = "text-single"; label = "Informative URL"; desc = "Link to information about your client"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 {name = "redirect_uri"; type = "text-single"; label = "Redirection URI"; desc = "Where to redirect the user after authorizing."; required = true};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 })
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 local client_created = dataforms.new({
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 title = "New OAuth2 client created";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 instructions = "Save these details, they will not be shown again";
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 {var = "FORM_TYPE"; type = "hidden"; value = "urn:uuid:ff0d55ed-2187-4ee0-820a-ab633a911c14#created"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 {name = "client_id"; type = "text-single"; label = "Client ID"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 {name = "client_secret"; type = "text-single"; label = "Client secret"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 })
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 local function create_client(client, formerr, data)
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 if formerr then
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 local errmsg = {"Error in form:"};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 for field, err in pairs(formerr) do table.insert(errmsg, field .. ": " .. err); end
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 return {status = "error"; error = {message = table.concat(errmsg, "\n")}};
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 end
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 local creator = jid.split(data.from);
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 local client_id = id.short();
4263
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
40 local client_secret = id.long();
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
41 local salt = id.medium();
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
42 local i = iteration_count;
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43
4263
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
44 client.secret_hash = base64.encode(hashes.pbkdf2_hmac_sha256(client_secret, salt .. pepper, i));
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
45 client.iteration_count = i;
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
46 client.salt = salt;
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
48 local ok, err = errors.coerce(clients:set(creator, client_id, client));
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 module:log("info", "OAuth2 client %q created by %s", client_id, data.from);
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 if not ok then return {status = "error"; error = {message = err}}; end
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51
4263
d3af5f94d6df mod_http_oauth2: Improve storage of client secret
Kim Alvefur <zash@zash.se>
parents: 4262
diff changeset
52 return {status = "completed"; result = {layout = client_created; values = {client_id = client.client_id; client_secret = client_secret}}};
4261
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 end
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 local handler = adhoc.new_simple_form(new_client, create_client);
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56
608be9a66876 mod_adhoc_oauth2_client: Allow creating OAuth2 clients via ad-hoc
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57 module:provides("adhoc", module:require "adhoc".new(new_client.title, new_client[1].value, handler, "local_user"));
4262
6d7fb22c0440 mod_adhoc_oauth2_client: Note TODO
Kim Alvefur <zash@zash.se>
parents: 4261
diff changeset
58
6d7fb22c0440 mod_adhoc_oauth2_client: Note TODO
Kim Alvefur <zash@zash.se>
parents: 4261
diff changeset
59 -- TODO list/manage/revoke clients