comparison mod_adhoc_oauth2_client/mod_adhoc_oauth2_client.lua @ 4263:d3af5f94d6df

mod_http_oauth2: Improve storage of client secret Note well: This is still a thing for developers, do not panic!
author Kim Alvefur <zash@zash.se>
date Sun, 22 Nov 2020 01:32:09 +0100
parents 6d7fb22c0440
children b43c6d614d22
comparison
equal deleted inserted replaced
4262:6d7fb22c0440 4263:d3af5f94d6df
1 local adhoc = require "util.adhoc"; 1 local adhoc = require "util.adhoc";
2 local dataforms = require "util.dataforms"; 2 local dataforms = require "util.dataforms";
3 local errors = require "util.error"; 3 local errors = require "util.error";
4 local hashes = require "util.hashes";
4 local id = require "util.id"; 5 local id = require "util.id";
5 local jid = require "util.jid"; 6 local jid = require "util.jid";
7 local base64 = require"util.encodings".base64;
6 8
7 local clients = module:open_store("oauth2_clients", "map"); 9 local clients = module:open_store("oauth2_clients", "map");
10
11 local iteration_count = module:get_option_number("oauth2_client_iteration_count", 10000);
12 local pepper = module:get_option_string("oauth2_client_pepper", "");
8 13
9 local new_client = dataforms.new({ 14 local new_client = dataforms.new({
10 title = "Create OAuth2 client"; 15 title = "Create OAuth2 client";
11 {var = "FORM_TYPE"; type = "hidden"; value = "urn:uuid:ff0d55ed-2187-4ee0-820a-ab633a911c14#create"}; 16 {var = "FORM_TYPE"; type = "hidden"; value = "urn:uuid:ff0d55ed-2187-4ee0-820a-ab633a911c14#create"};
12 {name = "name"; type = "text-single"; label = "Client name"; required = true}; 17 {name = "name"; type = "text-single"; label = "Client name"; required = true};
30 return {status = "error"; error = {message = table.concat(errmsg, "\n")}}; 35 return {status = "error"; error = {message = table.concat(errmsg, "\n")}};
31 end 36 end
32 37
33 local creator = jid.split(data.from); 38 local creator = jid.split(data.from);
34 local client_id = id.short(); 39 local client_id = id.short();
40 local client_secret = id.long();
41 local salt = id.medium();
42 local i = iteration_count;
35 43
36 client.client_id = jid.join(creator, module.host, client_id); 44 client.secret_hash = base64.encode(hashes.pbkdf2_hmac_sha256(client_secret, salt .. pepper, i));
37 client.client_secret = id.long(); 45 client.iteration_count = i;
46 client.salt = salt;
38 47
39 local ok, err = errors.coerce(clients:set(creator, client_id, client)); 48 local ok, err = errors.coerce(clients:set(creator, client_id, client));
40 module:log("info", "OAuth2 client %q created by %s", client_id, data.from); 49 module:log("info", "OAuth2 client %q created by %s", client_id, data.from);
41 if not ok then return {status = "error"; error = {message = err}}; end 50 if not ok then return {status = "error"; error = {message = err}}; end
42 51
43 return {status = "completed"; result = {layout = client_created; values = client}}; 52 return {status = "completed"; result = {layout = client_created; values = {client_id = client.client_id; client_secret = client_secret}}};
44 end 53 end
45 54
46 local handler = adhoc.new_simple_form(new_client, create_client); 55 local handler = adhoc.new_simple_form(new_client, create_client);
47 56
48 module:provides("adhoc", module:require "adhoc".new(new_client.title, new_client[1].value, handler, "local_user")); 57 module:provides("adhoc", module:require "adhoc".new(new_client.title, new_client[1].value, handler, "local_user"));