Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5459:260a859be86a
mod_http_oauth2: Rename variables to improve clarity
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 17 May 2023 00:09:37 +0200 |
parents | 813fe4f76286 |
children | c0d62c1b4424 |
comparison
equal
deleted
inserted
replaced
5458:813fe4f76286 | 5459:260a859be86a |
---|---|
82 { default_ttl = registration_ttl; accept_expired = not registration_ttl }); | 82 { default_ttl = registration_ttl; accept_expired = not registration_ttl }); |
83 | 83 |
84 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", false); | 84 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", false); |
85 | 85 |
86 local verification_key; | 86 local verification_key; |
87 local jwt_sign, jwt_verify; | 87 local sign_client, verify_client; |
88 if registration_key then | 88 if registration_key then |
89 -- Tie it to the host if global | 89 -- Tie it to the host if global |
90 verification_key = hashes.hmac_sha256(registration_key, module.host); | 90 verification_key = hashes.hmac_sha256(registration_key, module.host); |
91 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options); | 91 sign_client, verify_client = jwt.init(registration_algo, registration_key, registration_key, registration_options); |
92 end | 92 end |
93 | 93 |
94 -- scope : string | array | set | 94 -- scope : string | array | set |
95 -- | 95 -- |
96 -- at each step, allow the same or a subset of scopes | 96 -- at each step, allow the same or a subset of scopes |
372 if params.scope and params.scope ~= "" then | 372 if params.scope and params.scope ~= "" then |
373 -- FIXME allow a subset of granted scopes | 373 -- FIXME allow a subset of granted scopes |
374 return oauth_error("invalid_scope", "unknown scope requested"); | 374 return oauth_error("invalid_scope", "unknown scope requested"); |
375 end | 375 end |
376 | 376 |
377 local client_ok, client = jwt_verify(params.client_id); | 377 local client_ok, client = verify_client(params.client_id); |
378 if not client_ok then | 378 if not client_ok then |
379 return oauth_error("invalid_client", "incorrect credentials"); | 379 return oauth_error("invalid_client", "incorrect credentials"); |
380 end | 380 end |
381 | 381 |
382 if not verify_client_secret(params.client_id, params.client_secret) then | 382 if not verify_client_secret(params.client_id, params.client_secret) then |
407 function grant_type_handlers.refresh_token(params) | 407 function grant_type_handlers.refresh_token(params) |
408 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | 408 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
409 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end | 409 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end |
410 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end | 410 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end |
411 | 411 |
412 local client_ok, client = jwt_verify(params.client_id); | 412 local client_ok, client = verify_client(params.client_id); |
413 if not client_ok then | 413 if not client_ok then |
414 return oauth_error("invalid_client", "incorrect credentials"); | 414 return oauth_error("invalid_client", "incorrect credentials"); |
415 end | 415 end |
416 | 416 |
417 if not verify_client_secret(params.client_id, params.client_secret) then | 417 if not verify_client_secret(params.client_id, params.client_secret) then |
658 return error_response(request, oauth_error("invalid_request")); | 658 return error_response(request, oauth_error("invalid_request")); |
659 end | 659 end |
660 | 660 |
661 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | 661 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
662 | 662 |
663 local ok, client = jwt_verify(params.client_id); | 663 local ok, client = verify_client(params.client_id); |
664 | 664 |
665 if not ok then | 665 if not ok then |
666 return oauth_error("invalid_client", "incorrect credentials"); | 666 return oauth_error("invalid_client", "incorrect credentials"); |
667 end | 667 end |
668 | 668 |
884 -- Ensure each signed client_id JWT is unique, short ID and issued at | 884 -- Ensure each signed client_id JWT is unique, short ID and issued at |
885 -- timestamp should be sufficient to rule out brute force attacks | 885 -- timestamp should be sufficient to rule out brute force attacks |
886 client_metadata.nonce = id.short(); | 886 client_metadata.nonce = id.short(); |
887 | 887 |
888 -- Do we want to keep everything? | 888 -- Do we want to keep everything? |
889 local client_id = jwt_sign(client_metadata); | 889 local client_id = sign_client(client_metadata); |
890 | 890 |
891 client_metadata.client_id = client_id; | 891 client_metadata.client_id = client_id; |
892 client_metadata.client_id_issued_at = os.time(); | 892 client_metadata.client_id_issued_at = os.time(); |
893 | 893 |
894 if client_metadata.token_endpoint_auth_method ~= "none" then | 894 if client_metadata.token_endpoint_auth_method ~= "none" then |