Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5629:ef0a283507c9
mod_http_oauth2: Make storage of various code more consistent
I'm not sure how any of this worked at all.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 06 Aug 2023 12:07:05 +0200 |
parents | 9aace51c3637 |
children | dd2079b3dec6 |
comparison
equal
deleted
inserted
replaced
5628:9aace51c3637 | 5629:ef0a283507c9 |
---|---|
392 | 392 |
393 if pkce_required and not params.code_challenge then | 393 if pkce_required and not params.code_challenge then |
394 return oauth_error("invalid_request", "PKCE required"); | 394 return oauth_error("invalid_request", "PKCE required"); |
395 end | 395 end |
396 | 396 |
397 local prefix = "authorization_code:"; | |
397 local code = id.medium(); | 398 local code = id.medium(); |
398 if params.redirect_uri == device_uri then | 399 if params.redirect_uri == device_uri then |
399 local is_device, device_state = verify_device_token(params.state); | 400 local is_device, device_state = verify_device_token(params.state); |
400 if is_device then | 401 if is_device then |
401 -- reconstruct the device_code | 402 -- reconstruct the device_code |
403 prefix = "device_code:"; | |
402 code = b64url(hashes.hmac_sha256(verification_key, device_state.user_code)); | 404 code = b64url(hashes.hmac_sha256(verification_key, device_state.user_code)); |
403 else | 405 else |
404 return oauth_error("invalid_request"); | 406 return oauth_error("invalid_request"); |
405 end | 407 end |
406 end | 408 end |
407 local ok = codes:set("authorization_code:" .. params.client_id .. "#" .. code, { | 409 local ok = codes:set(prefix.. params.client_id .. "#" .. code, { |
408 expires = os.time() + 600; | 410 expires = os.time() + 600; |
409 granted_jid = granted_jid; | 411 granted_jid = granted_jid; |
410 granted_scopes = granted_scopes; | 412 granted_scopes = granted_scopes; |
411 granted_role = granted_role; | 413 granted_role = granted_role; |
412 challenge = params.code_challenge; | 414 challenge = params.code_challenge; |
578 if not verify_client_secret(params.client_id, params.client_secret) then | 580 if not verify_client_secret(params.client_id, params.client_secret) then |
579 module:log("debug", "client_secret mismatch"); | 581 module:log("debug", "client_secret mismatch"); |
580 return oauth_error("invalid_client", "incorrect credentials"); | 582 return oauth_error("invalid_client", "incorrect credentials"); |
581 end | 583 end |
582 | 584 |
583 local code = codes:get("device_code:" .. params.device_code); | 585 local code = codes:get("device_code:" .. params.client_id .. "#" .. params.device_code); |
584 if type(code) ~= "table" or code_expired(code) then | 586 if type(code) ~= "table" or code_expired(code) then |
585 return oauth_error("expired_token"); | 587 return oauth_error("expired_token"); |
586 elseif code.error then | 588 elseif code.error then |
587 return code.error; | 589 return code.error; |
588 elseif not code.granted_jid then | 590 elseif not code.granted_jid then |
589 return oauth_error("authorization_pending"); | 591 return oauth_error("authorization_pending"); |
590 end | 592 end |
591 codes:set("device_code:" .. params.device_code, nil); | 593 codes:set("device_code:" .. params.client_id .. "#" .. params.device_code, nil); |
592 | 594 |
593 return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, client, code.id_token)); | 595 return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, client, code.id_token)); |
594 end | 596 end |
595 | 597 |
596 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients | 598 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients |
991 -- device code should be derivable after consent but not guessable by the user | 993 -- device code should be derivable after consent but not guessable by the user |
992 local device_code = b64url(hashes.hmac_sha256(verification_key, user_code)); | 994 local device_code = b64url(hashes.hmac_sha256(verification_key, user_code)); |
993 local verification_uri = module:http_url() .. "/device"; | 995 local verification_uri = module:http_url() .. "/device"; |
994 local verification_uri_complete = verification_uri .. "?" .. http.formencode({ user_code = user_code }); | 996 local verification_uri_complete = verification_uri .. "?" .. http.formencode({ user_code = user_code }); |
995 | 997 |
996 local dc_ok = codes:set("device_code:" .. params.client_id .. "#" .. device_code, { expires = os.time() + 1200 }); | 998 local expires = os.time() + 600; |
999 local dc_ok = codes:set("device_code:" .. params.client_id .. "#" .. device_code, { expires = expires }); | |
997 local uc_ok = codes:set("user_code:" .. user_code, | 1000 local uc_ok = codes:set("user_code:" .. user_code, |
998 { user_code = user_code; expires = os.time() + 600; client_id = params.client_id; | 1001 { user_code = user_code; expires = expires; client_id = params.client_id; |
999 scope = requested_scopes:concat(" ") }); | 1002 scope = requested_scopes:concat(" ") }); |
1000 if not dc_ok or not uc_ok then | 1003 if not dc_ok or not uc_ok then |
1001 return oauth_error("temporarily_unavailable"); | 1004 return oauth_error("temporarily_unavailable"); |
1002 end | 1005 end |
1003 | 1006 |