comparison mod_http_oauth2/mod_http_oauth2.lua @ 4998:5ab134b7e510

mod_http_oauth2: Updates for Prosody's new role API (backwards-compatible)
author Matthew Wild <mwild1@gmail.com>
date Wed, 13 Jul 2022 11:20:09 +0100
parents 1b81b7269858
children 5dadbe0718f1
comparison
equal deleted inserted replaced
4997:1b5869c34026 4998:5ab134b7e510
12 12
13 local tokens = module:depends("tokenauth"); 13 local tokens = module:depends("tokenauth");
14 14
15 local clients = module:open_store("oauth2_clients", "map"); 15 local clients = module:open_store("oauth2_clients", "map");
16 16
17 local function filter_scopes(request_jid, requested_scope_string) --luacheck: ignore 212/requested_scope_string 17 local function filter_scopes(username, host, requested_scope_string)
18 -- We currently don't really support scopes, so override 18 if host ~= module.host then
19 -- to whatever real permissions the user has 19 return usermanager.get_jid_role(username.."@"..host, module.host).name;
20 if usermanager.is_admin(request_jid, module.host) then 20 end
21 return "prosody:scope:admin"; 21
22 end 22 if requested_scope_string then -- Specific role requested
23 return "prosody:scope:default"; 23 -- TODO: The requested scope string is technically a space-delimited list
24 -- of scopes, but for simplicity we're mapping this slot to role names.
25 local user_roles = usermanager.get_user_roles(username, module.host);
26 if user_roles[requested_scope_string] then
27 return requested_scope_string;
28 end
29 end
30
31 return usermanager.get_user_default_role(username, module.host).name;
24 end 32 end
25 33
26 local function code_expires_in(code) 34 local function code_expires_in(code)
27 return os.difftime(os.time(), code.issued); 35 return os.difftime(os.time(), code.issued);
28 end 36 end
79 if not usermanager.test_password(request_username, request_host, request_password) then 87 if not usermanager.test_password(request_username, request_host, request_password) then
80 return oauth_error("invalid_grant", "incorrect credentials"); 88 return oauth_error("invalid_grant", "incorrect credentials");
81 end 89 end
82 90
83 local granted_jid = jid.join(request_username, request_host, request_resource); 91 local granted_jid = jid.join(request_username, request_host, request_resource);
84 local granted_scopes = filter_scopes(granted_jid, params.scope); 92 local granted_scopes = filter_scopes(request_username, request_host, params.scope);
85 return json.encode(new_access_token(granted_jid, granted_scopes, nil)); 93 return json.encode(new_access_token(granted_jid, granted_scopes, nil));
86 end 94 end
87 95
88 function response_type_handlers.code(params, granted_jid) 96 function response_type_handlers.code(params, granted_jid)
89 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end 97 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
97 if err then error(err); end 105 if err then error(err); end
98 if not client then 106 if not client then
99 return oauth_error("invalid_client", "incorrect credentials"); 107 return oauth_error("invalid_client", "incorrect credentials");
100 end 108 end
101 109
102 local granted_scopes = filter_scopes(granted_jid, params.scope); 110 local granted_scopes = filter_scopes(client_owner, client_host, params.scope);
103 111
104 local code = uuid.generate(); 112 local code = uuid.generate();
105 local ok = codes:set(params.client_id .. "#" .. code, { 113 local ok = codes:set(params.client_id .. "#" .. code, {
106 issued = os.time(); 114 issued = os.time();
107 granted_jid = granted_jid; 115 granted_jid = granted_jid;