Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5008:bd63feda3704
Merge role-auth
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 22 Aug 2022 15:39:02 +0100 |
| parents | 5dadbe0718f1 |
| children | 2c6acf2d6fd4 |
comparison
equal
deleted
inserted
replaced
| 4994:cce12a660b98 | 5008:bd63feda3704 |
|---|---|
| 12 | 12 |
| 13 local tokens = module:depends("tokenauth"); | 13 local tokens = module:depends("tokenauth"); |
| 14 | 14 |
| 15 local clients = module:open_store("oauth2_clients", "map"); | 15 local clients = module:open_store("oauth2_clients", "map"); |
| 16 | 16 |
| 17 local function filter_scopes(request_jid, requested_scope_string) --luacheck: ignore 212/requested_scope_string | 17 local function filter_scopes(username, host, requested_scope_string) |
| 18 -- We currently don't really support scopes, so override | 18 if host ~= module.host then |
| 19 -- to whatever real permissions the user has | 19 return usermanager.get_jid_role(username.."@"..host, module.host).name; |
| 20 if usermanager.is_admin(request_jid, module.host) then | 20 end |
| 21 return "prosody:scope:admin"; | 21 |
| 22 end | 22 if requested_scope_string then -- Specific role requested |
| 23 return "prosody:scope:default"; | 23 -- TODO: The requested scope string is technically a space-delimited list |
| 24 -- of scopes, but for simplicity we're mapping this slot to role names. | |
| 25 if usermanager.user_can_assume_role(username, module.host, requested_scope_string) then | |
| 26 return requested_scope_string; | |
| 27 end | |
| 28 end | |
| 29 | |
| 30 return usermanager.get_user_role(username, module.host).name; | |
| 24 end | 31 end |
| 25 | 32 |
| 26 local function code_expires_in(code) | 33 local function code_expires_in(code) |
| 27 return os.difftime(os.time(), code.issued); | 34 return os.difftime(os.time(), code.issued); |
| 28 end | 35 end |
| 79 if not usermanager.test_password(request_username, request_host, request_password) then | 86 if not usermanager.test_password(request_username, request_host, request_password) then |
| 80 return oauth_error("invalid_grant", "incorrect credentials"); | 87 return oauth_error("invalid_grant", "incorrect credentials"); |
| 81 end | 88 end |
| 82 | 89 |
| 83 local granted_jid = jid.join(request_username, request_host, request_resource); | 90 local granted_jid = jid.join(request_username, request_host, request_resource); |
| 84 local granted_scopes = filter_scopes(granted_jid, params.scope); | 91 local granted_scopes = filter_scopes(request_username, request_host, params.scope); |
| 85 return json.encode(new_access_token(granted_jid, granted_scopes, nil)); | 92 return json.encode(new_access_token(granted_jid, granted_scopes, nil)); |
| 86 end | 93 end |
| 87 | 94 |
| 88 function response_type_handlers.code(params, granted_jid) | 95 function response_type_handlers.code(params, granted_jid) |
| 89 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | 96 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
| 97 if err then error(err); end | 104 if err then error(err); end |
| 98 if not client then | 105 if not client then |
| 99 return oauth_error("invalid_client", "incorrect credentials"); | 106 return oauth_error("invalid_client", "incorrect credentials"); |
| 100 end | 107 end |
| 101 | 108 |
| 102 local granted_scopes = filter_scopes(granted_jid, params.scope); | 109 local granted_scopes = filter_scopes(client_owner, client_host, params.scope); |
| 103 | 110 |
| 104 local code = uuid.generate(); | 111 local code = uuid.generate(); |
| 105 local ok = codes:set(params.client_id .. "#" .. code, { | 112 local ok = codes:set(params.client_id .. "#" .. code, { |
| 106 issued = os.time(); | 113 issued = os.time(); |
| 107 granted_jid = granted_jid; | 114 granted_jid = granted_jid; |