Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5262:e73f364b5624
mod_http_oauth2: Rename oauth client credential related functions
To make it more explicit what "secret" these deal with.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 21 Mar 2023 21:36:54 +0100 |
| parents | 8fba651b10ef |
| children | 381c62ef52aa |
comparison
equal
deleted
inserted
replaced
| 5261:6526b670e66d | 5262:e73f364b5624 |
|---|---|
| 282 location = url.build(redirect); | 282 location = url.build(redirect); |
| 283 }; | 283 }; |
| 284 } | 284 } |
| 285 end | 285 end |
| 286 | 286 |
| 287 local function make_secret(client_id) --> client_secret | 287 local function make_client_secret(client_id) --> client_secret |
| 288 return hashes.hmac_sha256(verification_key, client_id, true); | 288 return hashes.hmac_sha256(verification_key, client_id, true); |
| 289 end | 289 end |
| 290 | 290 |
| 291 local function verify_secret(client_id, client_secret) | 291 local function verify_client_secret(client_id, client_secret) |
| 292 return hashes.equals(make_secret(client_id), client_secret); | 292 return hashes.equals(make_client_secret(client_id), client_secret); |
| 293 end | 293 end |
| 294 | 294 |
| 295 function grant_type_handlers.authorization_code(params) | 295 function grant_type_handlers.authorization_code(params) |
| 296 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | 296 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
| 297 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end | 297 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end |
| 303 local client_ok, client = jwt_verify(params.client_id); | 303 local client_ok, client = jwt_verify(params.client_id); |
| 304 if not client_ok then | 304 if not client_ok then |
| 305 return oauth_error("invalid_client", "incorrect credentials"); | 305 return oauth_error("invalid_client", "incorrect credentials"); |
| 306 end | 306 end |
| 307 | 307 |
| 308 if not verify_secret(params.client_id, params.client_secret) then | 308 if not verify_client_secret(params.client_id, params.client_secret) then |
| 309 module:log("debug", "client_secret mismatch"); | 309 module:log("debug", "client_secret mismatch"); |
| 310 return oauth_error("invalid_client", "incorrect credentials"); | 310 return oauth_error("invalid_client", "incorrect credentials"); |
| 311 end | 311 end |
| 312 local code, err = codes:get(params.client_id .. "#" .. params.code); | 312 local code, err = codes:get(params.client_id .. "#" .. params.code); |
| 313 if err then error(err); end | 313 if err then error(err); end |
| 550 -- Notify client of rejection | 550 -- Notify client of rejection |
| 551 return error_response(request, oauth_error("access_denied")); | 551 return error_response(request, oauth_error("access_denied")); |
| 552 end | 552 end |
| 553 | 553 |
| 554 local user_jid = jid.join(auth_state.user.username, module.host); | 554 local user_jid = jid.join(auth_state.user.username, module.host); |
| 555 local client_secret = make_secret(params.client_id); | 555 local client_secret = make_client_secret(params.client_id); |
| 556 local id_token_signer = jwt.new_signer("HS256", client_secret); | 556 local id_token_signer = jwt.new_signer("HS256", client_secret); |
| 557 local id_token = id_token_signer({ | 557 local id_token = id_token_signer({ |
| 558 iss = get_issuer(); | 558 iss = get_issuer(); |
| 559 sub = url.build({ scheme = "xmpp"; path = user_jid }); | 559 sub = url.build({ scheme = "xmpp"; path = user_jid }); |
| 560 aud = params.client_id; | 560 aud = params.client_id; |
| 673 -- timestamp should be sufficient to rule out brute force attacks | 673 -- timestamp should be sufficient to rule out brute force attacks |
| 674 client_metadata.nonce = id.short(); | 674 client_metadata.nonce = id.short(); |
| 675 | 675 |
| 676 -- Do we want to keep everything? | 676 -- Do we want to keep everything? |
| 677 local client_id = jwt_sign(client_metadata); | 677 local client_id = jwt_sign(client_metadata); |
| 678 local client_secret = make_secret(client_id); | 678 local client_secret = make_client_secret(client_id); |
| 679 | 679 |
| 680 client_metadata.client_id = client_id; | 680 client_metadata.client_id = client_id; |
| 681 client_metadata.client_secret = client_secret; | 681 client_metadata.client_secret = client_secret; |
| 682 client_metadata.client_id_issued_at = os.time(); | 682 client_metadata.client_id_issued_at = os.time(); |
| 683 client_metadata.client_secret_expires_at = 0; | 683 client_metadata.client_secret_expires_at = 0; |