annotate mod_auth_http_cookie/mod_auth_http_cookie.lua @ 5548:fd3c12c40cd9

mod_http_oauth2: Disable CORS for authorization endpoint Per recommendation in draft-ietf-oauth-security-topics-23 Hopefully it is enough to return an error status, since mod_http will add CORS headers from a handler with higher priority, even for OPTIONS.
author Kim Alvefur <zash@zash.se>
date Fri, 16 Jun 2023 00:05:57 +0200
parents b7aa8630438e
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3037
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 -- Prosody IM
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 -- Copyright (C) 2008-2013 Matthew Wild
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 -- Copyright (C) 2008-2013 Waqas Hussain
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 -- Copyright (C) 2014 Kim Alvefur
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5 --
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 -- This project is MIT/X11 licensed. Please see the
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7 -- COPYING file in the source package for more information.
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 --
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 local new_sasl = require "util.sasl".new;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 local base64 = require "util.encodings".base64.encode;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12 local have_async, async = pcall(require, "util.async");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 local nodeprep = require "util.encodings".stringprep.nodeprep;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 local log = module._log;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 local host = module.host;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19 local password_auth_url = module:get_option_string("http_auth_url", ""):gsub("$host", host);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 local cookie_auth_url = module:get_option_string("http_cookie_auth_url");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 if cookie_auth_url then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 cookie_auth_url = cookie_auth_url:gsub("$host", host);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 local external_needs_authzid = cookie_auth_url and cookie_auth_url:match("$user");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 if password_auth_url == "" and not cookie_auth_url then error("http_auth_url or http_cookie_auth_url required") end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 local provider = {};
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33 -- globals required by socket.http
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34 if rawget(_G, "PROXY") == nil then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 rawset(_G, "PROXY", false)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37 if rawget(_G, "base_parsed") == nil then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38 rawset(_G, "base_parsed", false)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
39 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40 if not have_async then -- FINE! Set your globals then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
41 prosody.unlock_globals()
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
42 require "ltn12"
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 require "socket"
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
44 require "socket.http"
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
45 require "ssl.https"
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
46 prosody.lock_globals()
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
47 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
49 local function async_http_request(url, headers)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50 module:log("debug", "async_http_auth()");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51 local http = require "net.http";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52 local wait, done = async.waiter();
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
53 local content, code, request, response;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
54 local ex = {
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
55 headers = headers;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
56 }
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
57 local function cb(content_, code_, request_, response_)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
58 content, code, request, response = content_, code_, request_, response_;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
59 done();
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
60 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
61 http.request(url, ex, cb);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
62 wait();
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
63 log("debug", "response code %s", tostring(code));
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
64 if code >= 200 and code <= 299 then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
65 return true, content;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
66 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
67 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
68 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
69
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
70 local function sync_http_request(url, headers)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
71 module:log("debug", "sync_http_auth()");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
72 require "ltn12";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
73 local http = require "socket.http";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
74 local https = require "ssl.https";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
75 local request;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
76 if string.sub(url, 1, string.len('https')) == 'https' then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
77 request = https.request;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
78 else
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
79 request = http.request;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
80 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
81 local body_chunks = {};
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
82 local _, code, headers, status = request{
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
83 url = url,
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
84 headers = headers;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
85 sink = ltn12.sink.table(body_chunks);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
86 };
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
87 log("debug", "response code %s %s", type(code), tostring(code));
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
88 if type(code) == "number" and code >= 200 and code <= 299 then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
89 log("debug", "success")
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
90 return true, table.concat(body_chunks);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
91 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
92 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
93 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
94
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
95 local http_request = have_async and async_http_request or sync_http_request;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
96
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
97 function http_test_password(username, password)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
98 local url = password_auth_url:gsub("$user", username):gsub("$password", password);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
99 log("debug", "Testing password for user %s at host %s with URL %s", username, host, url);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
100 local ok = (http_request(url, { Authorization = "Basic "..base64(username..":"..password); }));
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
101 if not ok then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
102 return nil, "not authorized";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
103 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
104 return true;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
105 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
106
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
107 function http_test_cookie(cookie, username)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
108 local url = external_needs_authzid and cookie_auth_url:gsub("$user", username) or cookie_auth_url;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
109 log("debug", "Testing cookie auth for user %s at host %s with URL %s", username or "<unknown>", host, url);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
110 local ok, resp = http_request(url, { Cookie = cookie; });
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
111 if not ok then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
112 return nil, "not authorized";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
113 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
114
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
115 return external_needs_authzid or resp;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
116 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
117
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
118 function provider.test_password(username, password)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
119 return http_test_password(username, password);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
120 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
121
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
122 function provider.users()
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
123 return function()
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
124 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
125 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
126 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
127
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
128 function provider.set_password(username, password)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
129 return nil, "Changing passwords not supported";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
130 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
131
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
132 function provider.user_exists(username)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
133 return true;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
134 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
135
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
136 function provider.create_user(username, password)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
137 return nil, "User creation not supported";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
138 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
139
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
140 function provider.delete_user(username)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
141 return nil , "User deletion not supported";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
142 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
143
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
144 local function get_session_cookies(session)
3224
b7aa8630438e mod_auth_http_cookie: Also try to get HTTP request from WebSocket session
Kim Alvefur <zash@zash.se>
parents: 3223
diff changeset
145 local request = session.websocket_request; -- WebSockets
b7aa8630438e mod_auth_http_cookie: Also try to get HTTP request from WebSocket session
Kim Alvefur <zash@zash.se>
parents: 3223
diff changeset
146 if not request and session.requests then -- BOSH
b7aa8630438e mod_auth_http_cookie: Also try to get HTTP request from WebSocket session
Kim Alvefur <zash@zash.se>
parents: 3223
diff changeset
147 request = session.requests[1];
3223
9a89ec5030b5 mod_auth_http_cookie: Try to get HTTP request from array on BOSH sessions
Kim Alvefur <zash@zash.se>
parents: 3037
diff changeset
148 end
9a89ec5030b5 mod_auth_http_cookie: Try to get HTTP request from array on BOSH sessions
Kim Alvefur <zash@zash.se>
parents: 3037
diff changeset
149 if not request and session.conn._http_open_response then -- Fallback BOSH
9a89ec5030b5 mod_auth_http_cookie: Try to get HTTP request from array on BOSH sessions
Kim Alvefur <zash@zash.se>
parents: 3037
diff changeset
150 local response = session.conn._http_open_response;
9a89ec5030b5 mod_auth_http_cookie: Try to get HTTP request from array on BOSH sessions
Kim Alvefur <zash@zash.se>
parents: 3037
diff changeset
151 request = response and response.request;
9a89ec5030b5 mod_auth_http_cookie: Try to get HTTP request from array on BOSH sessions
Kim Alvefur <zash@zash.se>
parents: 3037
diff changeset
152 end
3037
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
153 if request then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
154 return request.headers.cookie;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
155 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
156 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
157
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
158 function provider.get_sasl_handler(session)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
159 local cookie = cookie_auth_url and get_session_cookies(session);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
160 log("debug", "Request cookie: %s", cookie);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
161 return new_sasl(host, {
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
162 plain_test = function(sasl, username, password, realm)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
163 return provider.test_password(username, password), true;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
164 end;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
165 external = cookie and function (authzid)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
166 if external_needs_authzid then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
167 -- Authorize the username provided by the client, using request cookie
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
168 if authzid ~= "" then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
169 module:log("warn", "Client requested authzid, but cookie auth URL does not contain $user variable");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
170 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
171 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
172 local success = http_test_cookie(cookie);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
173 if not success then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
174 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
175 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
176 return nodeprep(authzid), true;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
177 else
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
178 -- Authorize client using request cookie, username comes from auth server
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
179 if authzid == "" then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
180 module:log("warn", "Client did not provide authzid, but cookie auth URL contains $user variable");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
181 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
182 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
183 local unprepped_username = http_test_cookie(cookie, nodeprep(authzid));
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
184 local username = nodeprep(unprepped_username);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
185 if not username then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
186 if unprepped_username then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
187 log("warn", "Username supplied by cookie_auth_url is not valid for XMPP");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
188 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
189 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
190 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
191 return username, true;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
192 end;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
193 end;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
194 });
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
195 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
196
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
197 module:provides("auth", provider);