Mercurial > prosody-modules
view mod_auth_cyrus/mod_auth_cyrus.lua @ 5404:1087f697c3f3
mod_http_oauth2: Strip unknown extra fields from client registration
We shouldn't sign things we don't understand!
RFC 7591 section-2 states:
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
Prevents grandfathering in of unvalidated data that might become used
later, especially since the 'additionalProperties' schema keyword was
removed in 698fef74ce53
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 02 May 2023 16:23:40 +0200 |
parents | b8366e31c829 |
children |
line wrap: on
line source
-- Prosody IM -- Copyright (C) 2008-2010 Matthew Wild -- Copyright (C) 2008-2010 Waqas Hussain -- -- This project is MIT/X11 licensed. Please see the -- COPYING file in the source package for more information. -- -- luacheck: ignore 212 local log = require "util.logger".init("auth_cyrus"); local usermanager_user_exists = require "core.usermanager".user_exists; local cyrus_service_realm = module:get_option("cyrus_service_realm"); local cyrus_service_name = module:get_option("cyrus_service_name"); local cyrus_application_name = module:get_option("cyrus_application_name"); local require_provisioning = module:get_option("cyrus_require_provisioning") or false; local host_fqdn = module:get_option("cyrus_server_fqdn"); prosody.unlock_globals(); --FIXME: Figure out why this is needed and -- why cyrussasl isn't caught by the sandbox local cyrus_new = module:require "sasl_cyrus".new; prosody.lock_globals(); local new_sasl = function(realm) return cyrus_new( cyrus_service_realm or realm, cyrus_service_name or "xmpp", cyrus_application_name or "prosody", host_fqdn ); end do -- diagnostic local list; for mechanism in pairs(new_sasl(module.host):mechanisms()) do list = (not(list) and mechanism) or (list..", "..mechanism); end if not list then module:log("error", "No Cyrus SASL mechanisms available"); else module:log("debug", "Available Cyrus SASL mechanisms: %s", list); end end local host = module.host; -- define auth provider local provider = {}; log("debug", "initializing default authentication provider for host '%s'", host); function provider.test_password(username, password) return nil, "Legacy auth not supported with Cyrus SASL."; end function provider.get_password(username) return nil, "Passwords unavailable for Cyrus SASL."; end function provider.set_password(username, password) return nil, "Passwords unavailable for Cyrus SASL."; end function provider.user_exists(username) if require_provisioning then return usermanager_user_exists(username, host); end return true; end function provider.create_user(username, password) return nil, "Account creation/modification not available with Cyrus SASL."; end function provider.get_sasl_handler() local handler = new_sasl(host); if require_provisioning then function handler.require_provisioning(username) return usermanager_user_exists(username, host); end end return handler; end module:provides("auth", provider);