diff mod_http_oauth2/mod_http_oauth2.lua @ 4260:c539334dd01a

mod_http_oauth2: Rescope oauth client config into users' storage This produces client_id of the form owner@host/random and prevents clients from being deleted by registering an account with the same name and then deleting the account, as well as having the client automatically be deleted when the owner account is removed. On one hand, this leaks the bare JID of the creator to users. On the other hand, it makes it obvious who made the oauth application. This module is experimental and only for developers, so this can be changed if a better method comes up.
author Kim Alvefur <zash@zash.se>
date Sat, 21 Nov 2020 23:55:10 +0100
parents 721b528c01e1
children d3af5f94d6df
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Nov 21 23:03:47 2020 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Nov 21 23:55:10 2020 +0100
@@ -10,7 +10,7 @@
 
 local tokens = module:depends("tokenauth");
 
-local clients = module:open_store("oauth2_clients");
+local clients = module:open_store("oauth2_clients", "map");
 local codes = module:open_store("oauth2_codes", "map");
 
 local function oauth_error(err_name, err_desc)
@@ -60,15 +60,18 @@
 		return oauth_error("invalid_scope", "unknown scope requested");
 	end
 
-	local client, err = clients:get(params.client_id);
-	module:log("debug", "clients:get(%q) --> %q, %q", params.client_id, client, err);
+	local client_owner, client_host, client_id = jid.prepped_split(params.client_id);
+	if client_host ~= module.host then
+		return oauth_error("invalid_client", "incorrect credentials");
+	end
+	local client, err = clients:get(client_owner, client_id);
 	if err then error(err); end
 	if not client then
 		return oauth_error("invalid_client", "incorrect credentials");
 	end
 
 	local code = uuid.generate();
-	assert(codes:set(params.client_id, code, { issued = os.time(), granted_jid = granted_jid, }));
+	assert(codes:set(client_owner, client_id .. "#" .. code, {issued = os.time(); granted_jid = granted_jid}));
 
 	local redirect = url.parse(params.redirect_uri);
 	local query = http.formdecode(redirect.query or "");
@@ -95,18 +98,24 @@
 		return oauth_error("invalid_scope", "unknown scope requested");
 	end
 
-	local client, err = clients:get(params.client_id);
-	if err then error(err); end
-	if not client or client.secret ~= params.client_secret then
+	local client_owner, client_host, client_id = jid.prepped_split(params.client_id);
+	if client_host ~= module.host then
+		module:log("debug", "%q ~= %q", client_host, module.host);
 		return oauth_error("invalid_client", "incorrect credentials");
 	end
-	local code, err = codes:get(params.client_id, params.code);
+	local client, err = clients:get(client_owner, client_id);
+	if err then error(err); end
+	if not client or client.client_secret ~= params.client_secret then
+		module:log("debug", "client_secret mismatch");
+		return oauth_error("invalid_client", "incorrect credentials");
+	end
+	local code, err = codes:get(client_owner, client_id .. "#" .. params.code);
 	if err then error(err); end
 	if not code or type(code) ~= "table" or os.difftime(os.time(), code.issued) > 900 then
+		module:log("debug", "authorization_code invalid or expired: %q", code);
 		return oauth_error("invalid_client", "incorrect credentials");
 	end
-	assert(codes:set(params.client_id, params.code, nil));
-
+	assert(codes:set(client_owner, client_id .. "#" .. params.code, nil));
 
 	return json.encode(new_access_token(code.granted_jid, nil, nil));
 end