Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 4370:dee6b5098278
mod_http_oauth2: Add endpoint to revoke a key (RFC 7009 kinda)
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Thu, 21 Jan 2021 18:06:12 +0000 |
parents | 7cd3b7ec59e9 |
children | d3434fd151b5 |
comparison
equal
deleted
inserted
replaced
4369:29b7f445aec5 | 4370:dee6b5098278 |
---|---|
155 assert(codes:set(client_owner, client_id .. "#" .. params.code, nil)); | 155 assert(codes:set(client_owner, client_id .. "#" .. params.code, nil)); |
156 | 156 |
157 return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil)); | 157 return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil)); |
158 end | 158 end |
159 | 159 |
160 local function check_credentials(request) | 160 local function check_credentials(request, allow_token) |
161 local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$"); | 161 local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$"); |
162 | 162 |
163 if auth_type == "Basic" then | 163 if auth_type == "Basic" then |
164 local creds = base64.decode(auth_data); | 164 local creds = base64.decode(auth_data); |
165 if not creds then return false; end | 165 if not creds then return false; end |
169 if not username then return false; end | 169 if not username then return false; end |
170 if not usermanager.test_password(username, module.host, password) then | 170 if not usermanager.test_password(username, module.host, password) then |
171 return false; | 171 return false; |
172 end | 172 end |
173 return username; | 173 return username; |
174 elseif auth_type == "Bearer" and allow_token then | |
175 local token_info = tokens.get_token_info(auth_data); | |
176 if not token_info or not token_info.session or token_info.session.host ~= module.host then | |
177 return false; | |
178 end | |
179 return token_info.session.username; | |
174 end | 180 end |
175 return nil; | 181 return nil; |
176 end | 182 end |
177 | 183 |
178 if module:get_host_type() == "component" then | 184 if module:get_host_type() == "component" then |
242 return oauth_error("unsupported_response_type"); | 248 return oauth_error("unsupported_response_type"); |
243 end | 249 end |
244 return response_handler(params, jid.join(user, module.host)); | 250 return response_handler(params, jid.join(user, module.host)); |
245 end | 251 end |
246 | 252 |
253 local function handle_revocation_request(event) | |
254 local request, response = event.request, event.response; | |
255 if not request.headers.authorization then | |
256 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); | |
257 return 401; | |
258 elseif request.headers.content_type ~= "application/x-www-form-urlencoded" | |
259 or not request.body or request.body == "" then | |
260 return 400; | |
261 end | |
262 local user = check_credentials(request, true); | |
263 if not user then | |
264 return 401; | |
265 end | |
266 | |
267 local form_data = http.formdecode(event.request.body); | |
268 if not form_data or not form_data.token then | |
269 return 400; | |
270 end | |
271 local ok, err = tokens.revoke_token(form_data.token); | |
272 if not ok then | |
273 module:log("warn", "Unable to revoke token: %s", tostring(err)); | |
274 return 500; | |
275 end | |
276 return 200; | |
277 end | |
278 | |
247 module:depends("http"); | 279 module:depends("http"); |
248 module:provides("http", { | 280 module:provides("http", { |
249 route = { | 281 route = { |
250 ["POST /token"] = handle_token_grant; | 282 ["POST /token"] = handle_token_grant; |
251 ["GET /authorize"] = handle_authorization_request; | 283 ["GET /authorize"] = handle_authorization_request; |
284 ["POST /revoke"] = handle_revocation_request; | |
252 }; | 285 }; |
253 }); | 286 }); |
254 | 287 |
255 local http_server = require "net.http.server"; | 288 local http_server = require "net.http.server"; |
256 | 289 |