Mercurial > prosody-modules
view mod_require_otr/mod_require_otr.lua @ 5404:1087f697c3f3
mod_http_oauth2: Strip unknown extra fields from client registration
We shouldn't sign things we don't understand!
RFC 7591 section-2 states:
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
Prevents grandfathering in of unvalidated data that might become used
later, especially since the 'additionalProperties' schema keyword was
removed in 698fef74ce53
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 02 May 2023 16:23:40 +0200 |
| parents | dfe1818962f5 |
| children |
line wrap: on
line source
local st = require "util.stanza"; local block_groupchat = module:get_option_boolean("otr_block_groupchat", false); function reject_plaintext_messages(event) local body = event.stanza:get_child_text("body"); if body and body:sub(1,4) ~= "?OTR" or (not block_groupchat and event.stanza.attr.type == "groupchat") then return event.origin.send(st.error_reply(event.stanza, "modify", "policy-violation", "OTR encryption is required for conversations on this server")); end end module:hook("pre-message/bare", reject_plaintext_messages, 300); module:hook("pre-message/full", reject_plaintext_messages, 300); module:hook("pre-message/host", reject_plaintext_messages, 300);