view mod_poke_strangers/mod_poke_strangers.lua @ 5682:527c747711f3

mod_http_oauth2: Limit revocation to clients own tokens in strict mode RFC 7009 section 2.1 states: > The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token was > issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed of > the error by the authorization server as described below. The first part was already covered (in strict mode). This adds the later part using the hash of client_id recorded in 0860497152af It still seems weird to me that revoking a leaked token should not be allowed whoever might have discovered it, as that seems the responsible thing to do.
author Kim Alvefur <zash@zash.se>
date Sun, 29 Oct 2023 11:30:49 +0100
parents 0aa8aa6cdb1b
children 1e28f32257d6
line wrap: on
line source

local st = require"util.stanza";
local jid_split = require "util.jid".split;
local jid_bare = require "util.jid".bare;
local is_contact_subscribed = require "core.rostermanager".is_contact_subscribed;
local uuid_generate = require "util.uuid".generate;
local set = require "util.set";

local recently_queried = set.new();

local version_id = uuid_generate();
local disco_id = uuid_generate();

module:hook("iq-result/host/" .. version_id, function (event)
	module:log("info", "Stranger " .. event.stanza.attr.from .. " version: " .. tostring(event.stanza));
	return true;
end);

module:hook("iq-result/host/" .. disco_id, function (event)
	module:log("info", "Stranger " .. event.stanza.attr.from .. " disco: " .. tostring(event.stanza));
	return true;
end);

function check_subscribed(event)
	local stanza = event.stanza;
	local local_user_jid = stanza.attr.to;
	local to_user, to_host, to_resource = jid_split(local_user_jid);
	local stranger_jid = stanza.attr.from;

	if recently_queried:contains(stranger_jid) then
		module:log("debug", "Not re-poking " .. stranger_jid);
		return nil;
	end

	local from_jid = jid_bare(stranger_jid);

	if to_user and not is_contact_subscribed(to_user, to_host, from_jid) then
		if to_resource and stanza.attr.type == "groupchat" then
			return nil;
		end

		recently_queried:add(stranger_jid);

		module:send(st.iq({ type = "get", to = stranger_jid, from = to_host, id = version_id }):query("jabber:iq:version"));

		module:send(st.iq({ type = "get", to = stranger_jid, from = to_host, id = disco_id }):query("http://jabber.org/protocol/disco#info"));
	end

	return nil;
end

module:hook("message/bare", check_subscribed, 225);
module:hook("message/full", check_subscribed, 225);
-- Not hooking iqs, as that could turn into infinite loops!