comparison mod_http_oauth2/mod_http_oauth2.lua @ 5222:578a72982bb2

mod_http_oauth2: Separate extracting credentials from requests and verifying The token endpoint also uses Basic auth, but the password would be the client_secret, so we need to verify against that instead of using test_password(). Splitting this up here avoids code duplication. Possibly this new function could go into util.http...
author Matthew Wild <mwild1@gmail.com>
date Tue, 07 Mar 2023 15:18:41 +0000
parents 22483cfce3ce
children 8b2a36847912
comparison
equal deleted inserted replaced
5221:22483cfce3ce 5222:578a72982bb2
339 end 339 end
340 340
341 return {}; 341 return {};
342 end 342 end
343 343
344 local function check_credentials(request, allow_token) 344 local function get_request_credentials(request)
345 local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$"); 345 local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$");
346 346
347 if auth_type == "Basic" then 347 if auth_type == "Basic" then
348 local creds = base64.decode(auth_data); 348 local creds = base64.decode(auth_data);
349 if not creds then return false; end 349 if not creds then return; end
350 local username, password = string.match(creds, "^([^:]+):(.*)$"); 350 local username, password = string.match(creds, "^([^:]+):(.*)$");
351 if not username then return false; end 351 if not username then return; end
352 username, password = encodings.stringprep.nodeprep(username), encodings.stringprep.saslprep(password); 352 return {
353 if not username then return false; end 353 type = "basic";
354 username = username;
355 password = password;
356 };
357 elseif auth_type == "Bearer" then
358 return {
359 type = "bearer";
360 bearer_token = auth_data;
361 };
362 end
363
364 return nil;
365 end
366
367 local function check_credentials(request, allow_token)
368 local credentials = get_request_credentials(request);
369 if not credentials then return nil; end
370
371 if credentials.username and credentials.password then
372 local username = encodings.stringprep.nodeprep(credentials.username);
373 local password = encodings.stringprep.saslprep(credentials.password);
374 if not (username and password) then return false; end
354 if not usermanager.test_password(username, module.host, password) then 375 if not usermanager.test_password(username, module.host, password) then
355 return false; 376 return false;
356 end 377 end
357 return username; 378 return username;
358 elseif auth_type == "Bearer" and allow_token then 379 elseif allow_token and credentials.bearer_token then
359 local token_info = tokens.get_token_info(auth_data); 380 local token_info = tokens.get_token_info(credentials.bearer_token);
360 if not token_info or not token_info.session or token_info.session.host ~= module.host then 381 if not token_info or not token_info.session or token_info.session.host ~= module.host then
361 return false; 382 return false;
362 end 383 end
363 return token_info.session.username; 384 return token_info.session.username;
364 end 385 end