Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5256:44f7edd4f845
mod_http_oauth2: Reject non-local hosts in more code paths
We're not issuing tokens for users on remote hosts, we can't even
authenticate them since they're remote. Thus the host is always the
local module.host so no need to pass around the host in most cases or
use it for anything but enforcing the same host.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 16 Mar 2023 17:52:10 +0100 |
| parents | 001c8fdc91a4 |
| children | b2120fb4a279 |
comparison
equal
deleted
inserted
replaced
| 5255:001c8fdc91a4 | 5256:44f7edd4f845 |
|---|---|
| 76 | 76 |
| 77 local function parse_scopes(scope_string) | 77 local function parse_scopes(scope_string) |
| 78 return array(scope_string:gmatch("%S+")); | 78 return array(scope_string:gmatch("%S+")); |
| 79 end | 79 end |
| 80 | 80 |
| 81 local function filter_scopes(username, host, requested_scope_string) | 81 local function filter_scopes(username, requested_scope_string) |
| 82 if host ~= module.host then | |
| 83 return usermanager.get_jid_role(username.."@"..host, module.host).name; | |
| 84 end | |
| 85 | |
| 86 local selected_role, granted_scopes = nil, array(); | 82 local selected_role, granted_scopes = nil, array(); |
| 87 | 83 |
| 88 if requested_scope_string then -- Specific role(s) requested | 84 if requested_scope_string then -- Specific role(s) requested |
| 89 local requested_scopes = parse_scopes(requested_scope_string); | 85 local requested_scopes = parse_scopes(requested_scope_string); |
| 90 for _, scope in ipairs(requested_scopes) do | 86 for _, scope in ipairs(requested_scopes) do |
| 205 if not usermanager.test_password(request_username, request_host, request_password) then | 201 if not usermanager.test_password(request_username, request_host, request_password) then |
| 206 return oauth_error("invalid_grant", "incorrect credentials"); | 202 return oauth_error("invalid_grant", "incorrect credentials"); |
| 207 end | 203 end |
| 208 | 204 |
| 209 local granted_jid = jid.join(request_username, request_host, request_resource); | 205 local granted_jid = jid.join(request_username, request_host, request_resource); |
| 210 local granted_scopes, granted_role = filter_scopes(request_username, request_host, params.scope); | 206 local granted_scopes, granted_role = filter_scopes(request_username, params.scope); |
| 211 return json.encode(new_access_token(granted_jid, granted_role, granted_scopes, nil)); | 207 return json.encode(new_access_token(granted_jid, granted_role, granted_scopes, nil)); |
| 212 end | 208 end |
| 213 | 209 |
| 214 function response_type_handlers.code(client, params, granted_jid) | 210 function response_type_handlers.code(client, params, granted_jid) |
| 215 local request_username, request_host = jid.split(granted_jid); | 211 local request_username, request_host = jid.split(granted_jid); |
| 216 local granted_scopes, granted_role = filter_scopes(request_username, request_host, params.scope); | 212 if not request_host or request_host ~= module.host then |
| 213 return oauth_error("invalid_request", "invalid JID"); | |
| 214 end | |
| 215 local granted_scopes, granted_role = filter_scopes(request_username, params.scope); | |
| 217 | 216 |
| 218 local code = id.medium(); | 217 local code = id.medium(); |
| 219 local ok = codes:set(params.client_id .. "#" .. code, { | 218 local ok = codes:set(params.client_id .. "#" .. code, { |
| 220 expires = os.time() + 600; | 219 expires = os.time() + 600; |
| 221 granted_jid = granted_jid; | 220 granted_jid = granted_jid; |
| 263 end | 262 end |
| 264 | 263 |
| 265 -- Implicit flow | 264 -- Implicit flow |
| 266 function response_type_handlers.token(client, params, granted_jid) | 265 function response_type_handlers.token(client, params, granted_jid) |
| 267 local request_username, request_host = jid.split(granted_jid); | 266 local request_username, request_host = jid.split(granted_jid); |
| 268 local granted_scopes, granted_role = filter_scopes(request_username, request_host, params.scope); | 267 if not request_host or request_host ~= module.host then |
| 268 return oauth_error("invalid_request", "invalid JID"); | |
| 269 end | |
| 270 local granted_scopes, granted_role = filter_scopes(request_username, params.scope); | |
| 269 local token_info = new_access_token(granted_jid, granted_role, granted_scopes, nil, client); | 271 local token_info = new_access_token(granted_jid, granted_role, granted_scopes, nil, client); |
| 270 | 272 |
| 271 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); | 273 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); |
| 272 token_info.state = params.state; | 274 token_info.state = params.state; |
| 273 redirect.fragment = http.formencode(token_info); | 275 redirect.fragment = http.formencode(token_info); |