diff mod_unified_push/mod_unified_push.lua @ 5147:658658ea9323

mod_unified_push: Add ACL option to restrict access It defaults to the current host if on a VirtualHost, or parent host if a component.
author Matthew Wild <mwild1@gmail.com>
date Fri, 13 Jan 2023 16:41:48 +0000
parents a86022d702b2
children bf42f1401f1c
line wrap: on
line diff
--- a/mod_unified_push/mod_unified_push.lua	Fri Jan 13 16:40:00 2023 +0000
+++ b/mod_unified_push/mod_unified_push.lua	Fri Jan 13 16:41:48 2023 +0000
@@ -15,6 +15,19 @@
 
 module:add_feature(xmlns_up);
 
+local acl = module:get_option_set("unified_push_acl", {
+	module:get_host_type() == "local" and module.host or module.host:match("^[^%.]%.(.+)$")
+});
+
+local function is_jid_permitted(user_jid)
+	for acl_entry in acl do
+		if jid.compare(user_jid, acl_entry) then
+			return true;
+		end
+	end
+	return false;
+end
+
 local function check_sha256(s)
 	if not s then return nil, "no value provided"; end
 	local d = base64.decode(s);
@@ -44,6 +57,9 @@
 -- Handle incoming registration from XMPP client
 function handle_register(event)
 	local origin, stanza = event.origin, event.stanza;
+	if not is_jid_permitted(stanza.attr.from) then
+		return st.error_reply(stanza, "auth", "forbidden");
+	end
 	local instance, instance_err = check_sha256(stanza.tags[1].attr.instance);
 	if not instance then
 		return st.error_reply(stanza, "modify", "bad-request", "instance: "..instance_err);