Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5222:578a72982bb2
mod_http_oauth2: Separate extracting credentials from requests and verifying
The token endpoint also uses Basic auth, but the password would be the
client_secret, so we need to verify against that instead of using
test_password(). Splitting this up here avoids code duplication.
Possibly this new function could go into util.http...
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 07 Mar 2023 15:18:41 +0000 |
| parents | 22483cfce3ce |
| children | 8b2a36847912 |
comparison
equal
deleted
inserted
replaced
| 5221:22483cfce3ce | 5222:578a72982bb2 |
|---|---|
| 339 end | 339 end |
| 340 | 340 |
| 341 return {}; | 341 return {}; |
| 342 end | 342 end |
| 343 | 343 |
| 344 local function check_credentials(request, allow_token) | 344 local function get_request_credentials(request) |
| 345 local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$"); | 345 local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$"); |
| 346 | 346 |
| 347 if auth_type == "Basic" then | 347 if auth_type == "Basic" then |
| 348 local creds = base64.decode(auth_data); | 348 local creds = base64.decode(auth_data); |
| 349 if not creds then return false; end | 349 if not creds then return; end |
| 350 local username, password = string.match(creds, "^([^:]+):(.*)$"); | 350 local username, password = string.match(creds, "^([^:]+):(.*)$"); |
| 351 if not username then return false; end | 351 if not username then return; end |
| 352 username, password = encodings.stringprep.nodeprep(username), encodings.stringprep.saslprep(password); | 352 return { |
| 353 if not username then return false; end | 353 type = "basic"; |
| 354 username = username; | |
| 355 password = password; | |
| 356 }; | |
| 357 elseif auth_type == "Bearer" then | |
| 358 return { | |
| 359 type = "bearer"; | |
| 360 bearer_token = auth_data; | |
| 361 }; | |
| 362 end | |
| 363 | |
| 364 return nil; | |
| 365 end | |
| 366 | |
| 367 local function check_credentials(request, allow_token) | |
| 368 local credentials = get_request_credentials(request); | |
| 369 if not credentials then return nil; end | |
| 370 | |
| 371 if credentials.username and credentials.password then | |
| 372 local username = encodings.stringprep.nodeprep(credentials.username); | |
| 373 local password = encodings.stringprep.saslprep(credentials.password); | |
| 374 if not (username and password) then return false; end | |
| 354 if not usermanager.test_password(username, module.host, password) then | 375 if not usermanager.test_password(username, module.host, password) then |
| 355 return false; | 376 return false; |
| 356 end | 377 end |
| 357 return username; | 378 return username; |
| 358 elseif auth_type == "Bearer" and allow_token then | 379 elseif allow_token and credentials.bearer_token then |
| 359 local token_info = tokens.get_token_info(auth_data); | 380 local token_info = tokens.get_token_info(credentials.bearer_token); |
| 360 if not token_info or not token_info.session or token_info.session.host ~= module.host then | 381 if not token_info or not token_info.session or token_info.session.host ~= module.host then |
| 361 return false; | 382 return false; |
| 362 end | 383 end |
| 363 return token_info.session.username; | 384 return token_info.session.username; |
| 364 end | 385 end |