view mod_auth_token/token_auth_utils.lib.lua @ 3507:5c37d759b1e2

mod_csi_grace_period: Server-side grace period logic for CSI
author Kim Alvefur <zash@zash.se>
date Sun, 31 Mar 2019 04:49:56 +0200
parents ac1f63cdb6d6
children 6b3181fe5617
line wrap: on
line source

local base64 = require "util.encodings".base64;
local digest = require "openssl.digest";
local hmac = require "openssl.hmac";
local luatz = require "luatz";
local otp = require "otp";

local DIGEST_TYPE = "SHA256";
local OTP_DEVIATION = 1;
local OTP_DIGITS = 8;
local OTP_INTERVAL = 30;

local nonce_cache = {};

function check_nonce(jid, otp, nonce)
	-- We cache all nonces used per OTP, to ensure that a token cannot be used
	-- more than once.
	--
	-- We assume that the OTP is valid in the current time window. This is the
	-- case because we only call check_nonce *after* the OTP has been verified.
	--
	-- We only store one OTP per JID, so if a new OTP comes in, we wipe the
	-- previous OTP and its cached nonces.
	if nonce_cache[jid] == nil or nonce_cache[jid][otp] == nil then
		nonce_cache[jid] = {}
		nonce_cache[jid][otp] = {}
		nonce_cache[jid][otp][nonce] = true
		return true;
	end
	if nonce_cache[jid][otp][nonce] == true then
		return false;
	else
		nonce_cache[jid][otp][nonce] = true;
		return true;
	end
end


function verify_token(username, password, realm, otp_seed, token_secret, log)
	if (realm ~= module.host) then
		log("debug", "Verification failed: realm ~= module.host");
		return false;
	end

	local totp = otp.new_totp_from_key(otp_seed, OTP_DIGITS, OTP_INTERVAL)
	local token = string.match(password, "(%d+) ")
	local otp = token:sub(1,8)
	local nonce = token:sub(9)
	local signature = base64.decode(string.match(password, " (.+)"))
	local jid = username.."@"..realm

	if totp:verify(otp, OTP_DEVIATION, luatz.gmtime(luatz.time())) then
		log("debug", "The TOTP was verified");
		local hmac_ctx = hmac.new(token_secret, DIGEST_TYPE)
		if signature == hmac_ctx:final(otp..nonce..jid) then
			log("debug", "The key was verified");
			if check_nonce(jid, otp, nonce) then
				log("debug", "The nonce was verified");
				return true;
			end
		end
	end
	log("debug", "Verification failed");
	return false;
end

return {
	OTP_DEVIATION = OTP_DIGITS,
	OTP_DIGITS = OTP_DIGITS,
	OTP_INTERVAL = OTP_INTERVAL,
	DIGEST_TYPE = DIGEST_TYPE,
	verify_token = verify_token;
}