Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 4998:5ab134b7e510
mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible)
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Wed, 13 Jul 2022 11:20:09 +0100 |
| parents | 1b81b7269858 |
| children | 5dadbe0718f1 |
comparison
equal
deleted
inserted
replaced
| 4997:1b5869c34026 | 4998:5ab134b7e510 |
|---|---|
| 12 | 12 |
| 13 local tokens = module:depends("tokenauth"); | 13 local tokens = module:depends("tokenauth"); |
| 14 | 14 |
| 15 local clients = module:open_store("oauth2_clients", "map"); | 15 local clients = module:open_store("oauth2_clients", "map"); |
| 16 | 16 |
| 17 local function filter_scopes(request_jid, requested_scope_string) --luacheck: ignore 212/requested_scope_string | 17 local function filter_scopes(username, host, requested_scope_string) |
| 18 -- We currently don't really support scopes, so override | 18 if host ~= module.host then |
| 19 -- to whatever real permissions the user has | 19 return usermanager.get_jid_role(username.."@"..host, module.host).name; |
| 20 if usermanager.is_admin(request_jid, module.host) then | 20 end |
| 21 return "prosody:scope:admin"; | 21 |
| 22 end | 22 if requested_scope_string then -- Specific role requested |
| 23 return "prosody:scope:default"; | 23 -- TODO: The requested scope string is technically a space-delimited list |
| 24 -- of scopes, but for simplicity we're mapping this slot to role names. | |
| 25 local user_roles = usermanager.get_user_roles(username, module.host); | |
| 26 if user_roles[requested_scope_string] then | |
| 27 return requested_scope_string; | |
| 28 end | |
| 29 end | |
| 30 | |
| 31 return usermanager.get_user_default_role(username, module.host).name; | |
| 24 end | 32 end |
| 25 | 33 |
| 26 local function code_expires_in(code) | 34 local function code_expires_in(code) |
| 27 return os.difftime(os.time(), code.issued); | 35 return os.difftime(os.time(), code.issued); |
| 28 end | 36 end |
| 79 if not usermanager.test_password(request_username, request_host, request_password) then | 87 if not usermanager.test_password(request_username, request_host, request_password) then |
| 80 return oauth_error("invalid_grant", "incorrect credentials"); | 88 return oauth_error("invalid_grant", "incorrect credentials"); |
| 81 end | 89 end |
| 82 | 90 |
| 83 local granted_jid = jid.join(request_username, request_host, request_resource); | 91 local granted_jid = jid.join(request_username, request_host, request_resource); |
| 84 local granted_scopes = filter_scopes(granted_jid, params.scope); | 92 local granted_scopes = filter_scopes(request_username, request_host, params.scope); |
| 85 return json.encode(new_access_token(granted_jid, granted_scopes, nil)); | 93 return json.encode(new_access_token(granted_jid, granted_scopes, nil)); |
| 86 end | 94 end |
| 87 | 95 |
| 88 function response_type_handlers.code(params, granted_jid) | 96 function response_type_handlers.code(params, granted_jid) |
| 89 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | 97 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
| 97 if err then error(err); end | 105 if err then error(err); end |
| 98 if not client then | 106 if not client then |
| 99 return oauth_error("invalid_client", "incorrect credentials"); | 107 return oauth_error("invalid_client", "incorrect credentials"); |
| 100 end | 108 end |
| 101 | 109 |
| 102 local granted_scopes = filter_scopes(granted_jid, params.scope); | 110 local granted_scopes = filter_scopes(client_owner, client_host, params.scope); |
| 103 | 111 |
| 104 local code = uuid.generate(); | 112 local code = uuid.generate(); |
| 105 local ok = codes:set(params.client_id .. "#" .. code, { | 113 local ok = codes:set(params.client_id .. "#" .. code, { |
| 106 issued = os.time(); | 114 issued = os.time(); |
| 107 granted_jid = granted_jid; | 115 granted_jid = granted_jid; |