Mercurial > prosody-modules

comparison mod_http_oauth2/mod_http_oauth2.lua @ 4263:d3af5f94d6df

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Improve storage of client secret Note well: This is still a thing for developers, do not panic!
author Kim Alvefur <zash@zash.se>
date Sun, 22 Nov 2020 01:32:09 +0100
parents c539334dd01a
children 7b4a73364363
comparison
equal deleted inserted replaced
4262:6d7fb22c0440 4263:d3af5f94d6df
1 local hashes = require "util.hashes";
1 local http = require "util.http"; 2 local http = require "util.http";
2 local jid = require "util.jid"; 3 local jid = require "util.jid";
3 local json = require "util.json"; 4 local json = require "util.json";
4 local usermanager = require "core.usermanager"; 5 local usermanager = require "core.usermanager";
5 local errors = require "util.error"; 6 local errors = require "util.error";
88 location = url.build(redirect); 89 location = url.build(redirect);
89 }; 90 };
90 } 91 }
91 end 92 end
92 93
94 local pepper = module:get_option_string("oauth2_client_pepper", "");
95
96 local function verify_secret(stored, salt, i, secret)
97 return base64.decode(stored) == hashes.pbkdf2_hmac_sha256(secret, salt .. pepper, i);
98 end
99
93 function grant_type_handlers.authorization_code(params) 100 function grant_type_handlers.authorization_code(params)
94 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end 101 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
95 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end 102 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
96 if not params.code then return oauth_error("invalid_request", "missing 'code'"); end 103 if not params.code then return oauth_error("invalid_request", "missing 'code'"); end
97 if params.scope and params.scope ~= "" then 104 if params.scope and params.scope ~= "" then
103 module:log("debug", "%q ~= %q", client_host, module.host); 110 module:log("debug", "%q ~= %q", client_host, module.host);
104 return oauth_error("invalid_client", "incorrect credentials"); 111 return oauth_error("invalid_client", "incorrect credentials");
105 end 112 end
106 local client, err = clients:get(client_owner, client_id); 113 local client, err = clients:get(client_owner, client_id);
107 if err then error(err); end 114 if err then error(err); end
108 if not client or client.client_secret ~= params.client_secret then 115 if not client or not verify_secret(client.secret_hash, client.salt, client.iteration_count, params.client_secret) then
109 module:log("debug", "client_secret mismatch"); 116 module:log("debug", "client_secret mismatch");
110 return oauth_error("invalid_client", "incorrect credentials"); 117 return oauth_error("invalid_client", "incorrect credentials");
111 end 118 end
112 local code, err = codes:get(client_owner, client_id .. "#" .. params.code); 119 local code, err = codes:get(client_owner, client_id .. "#" .. params.code);
113 if err then error(err); end 120 if err then error(err); end