Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5510:a49d73e4262e
mod_http_oauth2: Add client verification wrapper function
Fixes the weird ok, data return format from util.jit, but the real
reason is to add some preparation steps here.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 02 Jun 2023 10:12:46 +0200 |
parents | ae007be8a6bd |
children | 0860497152af |
comparison
equal
deleted
inserted
replaced
5509:ae007be8a6bd | 5510:a49d73e4262e |
---|---|
95 -- Tie it to the host if global | 95 -- Tie it to the host if global |
96 verification_key = hashes.hmac_sha256(registration_key, module.host); | 96 verification_key = hashes.hmac_sha256(registration_key, module.host); |
97 sign_client, verify_client = jwt.init(registration_algo, registration_key, registration_key, registration_options); | 97 sign_client, verify_client = jwt.init(registration_algo, registration_key, registration_key, registration_options); |
98 end | 98 end |
99 | 99 |
100 -- verify and prepare client structure | |
101 local function check_client(client_id) | |
102 if not verify_client then | |
103 return nil, "client-registration-not-enabled"; | |
104 end | |
105 | |
106 local ok, client = verify_client(client_id); | |
107 if not ok then return ok, client; end | |
108 return client; | |
109 end | |
110 | |
100 -- scope : string | array | set | 111 -- scope : string | array | set |
101 -- | 112 -- |
102 -- at each step, allow the same or a subset of scopes | 113 -- at each step, allow the same or a subset of scopes |
103 -- (all ( client ( grant ( token ) ) )) | 114 -- (all ( client ( grant ( token ) ) )) |
104 -- preserve order since it determines role if more than one granted | 115 -- preserve order since it determines role if more than one granted |
407 if params.scope and params.scope ~= "" then | 418 if params.scope and params.scope ~= "" then |
408 -- FIXME allow a subset of granted scopes | 419 -- FIXME allow a subset of granted scopes |
409 return oauth_error("invalid_scope", "unknown scope requested"); | 420 return oauth_error("invalid_scope", "unknown scope requested"); |
410 end | 421 end |
411 | 422 |
412 local client_ok, client = verify_client(params.client_id); | 423 local client = check_client(params.client_id); |
413 if not client_ok then | 424 if not client then |
414 return oauth_error("invalid_client", "incorrect credentials"); | 425 return oauth_error("invalid_client", "incorrect credentials"); |
415 end | 426 end |
416 | 427 |
417 if not verify_client_secret(params.client_id, params.client_secret) then | 428 if not verify_client_secret(params.client_id, params.client_secret) then |
418 module:log("debug", "client_secret mismatch"); | 429 module:log("debug", "client_secret mismatch"); |
442 function grant_type_handlers.refresh_token(params) | 453 function grant_type_handlers.refresh_token(params) |
443 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | 454 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
444 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end | 455 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end |
445 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end | 456 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end |
446 | 457 |
447 local client_ok, client = verify_client(params.client_id); | 458 local client = check_client(params.client_id); |
448 if not client_ok then | 459 if not client then |
449 return oauth_error("invalid_client", "incorrect credentials"); | 460 return oauth_error("invalid_client", "incorrect credentials"); |
450 end | 461 end |
451 | 462 |
452 if not verify_client_secret(params.client_id, params.client_secret) then | 463 if not verify_client_secret(params.client_id, params.client_secret) then |
453 module:log("debug", "client_secret mismatch"); | 464 module:log("debug", "client_secret mismatch"); |
702 | 713 |
703 if not params.client_id then | 714 if not params.client_id then |
704 return render_error(oauth_error("invalid_request", "Missing 'client_id' parameter")); | 715 return render_error(oauth_error("invalid_request", "Missing 'client_id' parameter")); |
705 end | 716 end |
706 | 717 |
707 local ok, client = verify_client(params.client_id); | 718 local client = check_client(params.client_id); |
708 | 719 |
709 if not ok then | 720 if not client then |
710 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter")); | 721 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter")); |
711 end | 722 end |
712 | 723 |
713 local redirect_uri = get_redirect_uri(client, params.redirect_uri); | 724 local redirect_uri = get_redirect_uri(client, params.redirect_uri); |
714 if not redirect_uri then | 725 if not redirect_uri then |