Mercurial > prosody-modules
view mod_http_muc_kick/mod_http_muc_kick.lua @ 5193:2bb29ece216b
mod_http_oauth2: Implement stateless dynamic client registration
Replaces previous explicit registration that required either the
additional module mod_adhoc_oauth2_client or manually editing the
database. That method was enough to have something to test with, but
would not probably not scale easily.
Dynamic client registration allows creating clients on the fly, which
may be even easier in theory.
In order to not allow basically unauthenticated writes to the database,
we implement a stateless model here.
per_host_key := HMAC(config -> oauth2_registration_key, hostname)
client_id := JWT { client metadata } signed with per_host_key
client_secret := HMAC(per_host_key, client_id)
This should ensure everything we need to know is part of the client_id,
allowing redirects etc to be validated, and the client_secret can be
validated with only the client_id and the per_host_key.
A nonce injected into the client_id JWT should ensure nobody can submit
the same client metadata and retrieve the same client_secret
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 03 Mar 2023 21:14:19 +0100 |
| parents | e524a97730eb |
| children |
line wrap: on
line source
local jid_split = require "util.jid".prepped_split; local json = require "util.json"; module:depends("http"); local authorization = assert( module:get_option_string("http_muc_kick_authorization_header", nil), "http_muc_kick_authorization_header setting is missing, please add it to the Prosody config before using mod_http_muc_kick" ); local function is_authorized(request) return request.headers.authorization == authorization; end local function check_muc(jid) local muc_node, host = jid_split(jid); if not hosts[host] then return nil, nil, "No such host: "..host; elseif not hosts[host].modules.muc then return nil, nil, "Host '"..host.."' is not a MUC service"; end return muc_node, host; end local function get_muc(muc_jid) local muc_node, host, err = check_muc(muc_jid); if not muc_node then return nil, host, err; end local muc = prosody.hosts[host].modules.muc.get_room_from_jid(muc_jid); if not muc then return nil, host, "No MUC '"..muc_node.."' found for host: "..host; end return muc; end local function handle_error(response, status_code, error) response.headers.content_type = "application/json"; response.status_code = status_code; response:send(json.encode({error = error})); -- return true to keep the connection open, and prevent other handlers from executing. -- https://prosody.im/doc/developers/http#return_value return true; end module:provides("http", { route = { ["POST"] = function (event) local request, response = event.request, event.response; if not is_authorized(request) then return handle_error(response, 401, "Authorization failed"); end local body = json.decode(request.body or "") or {}; if not body then return handle_error(response, 400, "JSON body not found"); end local nickname, muc_jid, reason = body.nickname, body.muc, body.reason or ""; if not nickname or not muc_jid then return handle_error(response, 400, "Missing nickname and/or MUC"); end local muc, _, err = get_muc(muc_jid); if not muc then return handle_error(response, 404, "MUC not found: " .. err); end local occupant_jid = muc.jid .. "/" .. nickname; -- Kick user by giving them the "none" role -- https://xmpp.org/extensions/xep-0045.html#kick local success, error, condition = muc:set_role(true, occupant_jid, nil, reason); if not success then return handle_error(response, 400, "Couldn't kick user: ".. error .. ": " .. condition); end -- Kick was successful return 200; end; }; });