Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5262:e73f364b5624
mod_http_oauth2: Rename oauth client credential related functions
To make it more explicit what "secret" these deal with.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 21 Mar 2023 21:36:54 +0100 |
parents | 8fba651b10ef |
children | 381c62ef52aa |
comparison
equal
deleted
inserted
replaced
5261:6526b670e66d | 5262:e73f364b5624 |
---|---|
282 location = url.build(redirect); | 282 location = url.build(redirect); |
283 }; | 283 }; |
284 } | 284 } |
285 end | 285 end |
286 | 286 |
287 local function make_secret(client_id) --> client_secret | 287 local function make_client_secret(client_id) --> client_secret |
288 return hashes.hmac_sha256(verification_key, client_id, true); | 288 return hashes.hmac_sha256(verification_key, client_id, true); |
289 end | 289 end |
290 | 290 |
291 local function verify_secret(client_id, client_secret) | 291 local function verify_client_secret(client_id, client_secret) |
292 return hashes.equals(make_secret(client_id), client_secret); | 292 return hashes.equals(make_client_secret(client_id), client_secret); |
293 end | 293 end |
294 | 294 |
295 function grant_type_handlers.authorization_code(params) | 295 function grant_type_handlers.authorization_code(params) |
296 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | 296 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
297 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end | 297 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end |
303 local client_ok, client = jwt_verify(params.client_id); | 303 local client_ok, client = jwt_verify(params.client_id); |
304 if not client_ok then | 304 if not client_ok then |
305 return oauth_error("invalid_client", "incorrect credentials"); | 305 return oauth_error("invalid_client", "incorrect credentials"); |
306 end | 306 end |
307 | 307 |
308 if not verify_secret(params.client_id, params.client_secret) then | 308 if not verify_client_secret(params.client_id, params.client_secret) then |
309 module:log("debug", "client_secret mismatch"); | 309 module:log("debug", "client_secret mismatch"); |
310 return oauth_error("invalid_client", "incorrect credentials"); | 310 return oauth_error("invalid_client", "incorrect credentials"); |
311 end | 311 end |
312 local code, err = codes:get(params.client_id .. "#" .. params.code); | 312 local code, err = codes:get(params.client_id .. "#" .. params.code); |
313 if err then error(err); end | 313 if err then error(err); end |
550 -- Notify client of rejection | 550 -- Notify client of rejection |
551 return error_response(request, oauth_error("access_denied")); | 551 return error_response(request, oauth_error("access_denied")); |
552 end | 552 end |
553 | 553 |
554 local user_jid = jid.join(auth_state.user.username, module.host); | 554 local user_jid = jid.join(auth_state.user.username, module.host); |
555 local client_secret = make_secret(params.client_id); | 555 local client_secret = make_client_secret(params.client_id); |
556 local id_token_signer = jwt.new_signer("HS256", client_secret); | 556 local id_token_signer = jwt.new_signer("HS256", client_secret); |
557 local id_token = id_token_signer({ | 557 local id_token = id_token_signer({ |
558 iss = get_issuer(); | 558 iss = get_issuer(); |
559 sub = url.build({ scheme = "xmpp"; path = user_jid }); | 559 sub = url.build({ scheme = "xmpp"; path = user_jid }); |
560 aud = params.client_id; | 560 aud = params.client_id; |
673 -- timestamp should be sufficient to rule out brute force attacks | 673 -- timestamp should be sufficient to rule out brute force attacks |
674 client_metadata.nonce = id.short(); | 674 client_metadata.nonce = id.short(); |
675 | 675 |
676 -- Do we want to keep everything? | 676 -- Do we want to keep everything? |
677 local client_id = jwt_sign(client_metadata); | 677 local client_id = jwt_sign(client_metadata); |
678 local client_secret = make_secret(client_id); | 678 local client_secret = make_client_secret(client_id); |
679 | 679 |
680 client_metadata.client_id = client_id; | 680 client_metadata.client_id = client_id; |
681 client_metadata.client_secret = client_secret; | 681 client_metadata.client_secret = client_secret; |
682 client_metadata.client_id_issued_at = os.time(); | 682 client_metadata.client_id_issued_at = os.time(); |
683 client_metadata.client_secret_expires_at = 0; | 683 client_metadata.client_secret_expires_at = 0; |