Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5629:ef0a283507c9
mod_http_oauth2: Make storage of various code more consistent
I'm not sure how any of this worked at all.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 06 Aug 2023 12:07:05 +0200 |
| parents | 9aace51c3637 |
| children | dd2079b3dec6 |
comparison
equal
deleted
inserted
replaced
| 5628:9aace51c3637 | 5629:ef0a283507c9 |
|---|---|
| 392 | 392 |
| 393 if pkce_required and not params.code_challenge then | 393 if pkce_required and not params.code_challenge then |
| 394 return oauth_error("invalid_request", "PKCE required"); | 394 return oauth_error("invalid_request", "PKCE required"); |
| 395 end | 395 end |
| 396 | 396 |
| 397 local prefix = "authorization_code:"; | |
| 397 local code = id.medium(); | 398 local code = id.medium(); |
| 398 if params.redirect_uri == device_uri then | 399 if params.redirect_uri == device_uri then |
| 399 local is_device, device_state = verify_device_token(params.state); | 400 local is_device, device_state = verify_device_token(params.state); |
| 400 if is_device then | 401 if is_device then |
| 401 -- reconstruct the device_code | 402 -- reconstruct the device_code |
| 403 prefix = "device_code:"; | |
| 402 code = b64url(hashes.hmac_sha256(verification_key, device_state.user_code)); | 404 code = b64url(hashes.hmac_sha256(verification_key, device_state.user_code)); |
| 403 else | 405 else |
| 404 return oauth_error("invalid_request"); | 406 return oauth_error("invalid_request"); |
| 405 end | 407 end |
| 406 end | 408 end |
| 407 local ok = codes:set("authorization_code:" .. params.client_id .. "#" .. code, { | 409 local ok = codes:set(prefix.. params.client_id .. "#" .. code, { |
| 408 expires = os.time() + 600; | 410 expires = os.time() + 600; |
| 409 granted_jid = granted_jid; | 411 granted_jid = granted_jid; |
| 410 granted_scopes = granted_scopes; | 412 granted_scopes = granted_scopes; |
| 411 granted_role = granted_role; | 413 granted_role = granted_role; |
| 412 challenge = params.code_challenge; | 414 challenge = params.code_challenge; |
| 578 if not verify_client_secret(params.client_id, params.client_secret) then | 580 if not verify_client_secret(params.client_id, params.client_secret) then |
| 579 module:log("debug", "client_secret mismatch"); | 581 module:log("debug", "client_secret mismatch"); |
| 580 return oauth_error("invalid_client", "incorrect credentials"); | 582 return oauth_error("invalid_client", "incorrect credentials"); |
| 581 end | 583 end |
| 582 | 584 |
| 583 local code = codes:get("device_code:" .. params.device_code); | 585 local code = codes:get("device_code:" .. params.client_id .. "#" .. params.device_code); |
| 584 if type(code) ~= "table" or code_expired(code) then | 586 if type(code) ~= "table" or code_expired(code) then |
| 585 return oauth_error("expired_token"); | 587 return oauth_error("expired_token"); |
| 586 elseif code.error then | 588 elseif code.error then |
| 587 return code.error; | 589 return code.error; |
| 588 elseif not code.granted_jid then | 590 elseif not code.granted_jid then |
| 589 return oauth_error("authorization_pending"); | 591 return oauth_error("authorization_pending"); |
| 590 end | 592 end |
| 591 codes:set("device_code:" .. params.device_code, nil); | 593 codes:set("device_code:" .. params.client_id .. "#" .. params.device_code, nil); |
| 592 | 594 |
| 593 return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, client, code.id_token)); | 595 return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, client, code.id_token)); |
| 594 end | 596 end |
| 595 | 597 |
| 596 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients | 598 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients |
| 991 -- device code should be derivable after consent but not guessable by the user | 993 -- device code should be derivable after consent but not guessable by the user |
| 992 local device_code = b64url(hashes.hmac_sha256(verification_key, user_code)); | 994 local device_code = b64url(hashes.hmac_sha256(verification_key, user_code)); |
| 993 local verification_uri = module:http_url() .. "/device"; | 995 local verification_uri = module:http_url() .. "/device"; |
| 994 local verification_uri_complete = verification_uri .. "?" .. http.formencode({ user_code = user_code }); | 996 local verification_uri_complete = verification_uri .. "?" .. http.formencode({ user_code = user_code }); |
| 995 | 997 |
| 996 local dc_ok = codes:set("device_code:" .. params.client_id .. "#" .. device_code, { expires = os.time() + 1200 }); | 998 local expires = os.time() + 600; |
| 999 local dc_ok = codes:set("device_code:" .. params.client_id .. "#" .. device_code, { expires = expires }); | |
| 997 local uc_ok = codes:set("user_code:" .. user_code, | 1000 local uc_ok = codes:set("user_code:" .. user_code, |
| 998 { user_code = user_code; expires = os.time() + 600; client_id = params.client_id; | 1001 { user_code = user_code; expires = expires; client_id = params.client_id; |
| 999 scope = requested_scopes:concat(" ") }); | 1002 scope = requested_scopes:concat(" ") }); |
| 1000 if not dc_ok or not uc_ok then | 1003 if not dc_ok or not uc_ok then |
| 1001 return oauth_error("temporarily_unavailable"); | 1004 return oauth_error("temporarily_unavailable"); |
| 1002 end | 1005 end |
| 1003 | 1006 |