Mercurial > prosody-modules
diff mod_auth_oauthbearer/mod_auth_oauthbearer.lua @ 3114:73ada978dabc
mod_sasl_oauthbearer and mod_auth_oauthbearer
Two new modules for logging in with OAuth tokens.
| author | JC Brand <jc@opkode.com> |
|---|---|
| date | Wed, 13 Jun 2018 17:09:49 +0000 |
| parents | |
| children | d2bf9c8be3a3 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_auth_oauthbearer/mod_auth_oauthbearer.lua Wed Jun 13 17:09:49 2018 +0000 @@ -0,0 +1,90 @@ +local host = module.host; +local log = module._log; +local new_sasl = require "util.sasl".new; +local base64 = require "util.encodings".base64.encode; + +local provider = {}; + +local oauth_client_id = module:get_option_string("oauth_client_id", ""); +local oauth_client_secret = module:get_option_string("oauth_client_secret", ""); +local oauth_url = module:get_option_string("oauth_url", ""); + +if oauth_client_id == "" then error("oauth_client_id required") end +if oauth_client_secret == "" then error("oauth_client_secret required") end +if oauth_url == "" then error("oauth_url required") end + +-- globals required by socket.http +if rawget(_G, "PROXY") == nil then + rawset(_G, "PROXY", false) +end +if rawget(_G, "base_parsed") == nil then + rawset(_G, "base_parsed", false) +end + +local function interp(s, tab) + -- String interpolation, so that we can make the oauth_url configurable + -- e.g. oauth_url = "https://api.github.com/applications/{{oauth_client_id}}/tokens/{{password}}"; + -- + -- See: http://lua-users.org/wiki/StringInterpolation + return (s:gsub('(%b{})', function(w) return tab[w:sub(3, -3)] or w end)) +end + +function provider.test_password(sasl, username, password, realm) + log("debug", "Testing signed OAuth2 for user %s at realm %s", username, realm); + -- TODO: determine, based on the "realm" which OAuth provider to verify with. + module:log("debug", "sync_http_auth()"); + local https = require "ssl.https"; + local url = interp(oauth_url, {oauth_client_id = oauth_client_id, password = password}); + + module:log("debug", "The URL is: "..url); + local _, code, headers, status = https.request{ + url = url, + headers = { + Authorization = "Basic "..base64(oauth_client_id..":"..oauth_client_secret); + } + }; + if type(code) == "number" and code >= 200 and code <= 299 then + module:log("debug", "OAuth provider confirmed valid password"); + return 'johnny', true; + else + module:log("warn", "OAuth provider returned status code: "..code); + end + module:log("warn", "OAuth failed. Invalid username or password."); + return nil, false; +end + +function provider.users() + return function() + return nil; + end +end + +function provider.set_password(username, password) + return nil, "Changing passwords not supported"; +end + +function provider.user_exists(username) + return true; +end + +function provider.create_user(username, password) + return nil, "User creation not supported"; +end + +function provider.delete_user(username) + return nil , "User deletion not supported"; +end + +function provider.get_sasl_handler() + local supported_mechanisms = {}; + supported_mechanisms["OAUTHBEARER"] = true; + + return new_sasl(host, { + oauthbearer = function(sasl, username, password, realm) + return provider.test_password(sasl, username, password, realm); + end, + mechanisms = supported_mechanisms + }); +end + +module:provides("auth", provider);