Mercurial > prosody-modules

view mod_auth_oauthbearer/mod_auth_oauthbearer.lua @ 5553:67152838afbc

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Improve error messages for URI properties Since there are separate validation checks for URI properties, including that they should use https, with better and more specific error reporting. Reverts 'luaPattern' to 'pattern' which is not currently supported by util.jsonschema, but allows anything that retrieves the schema over http to validate against it, should they wish to do so.
author Kim Alvefur <zash@zash.se>
date Sat, 17 Jun 2023 18:15:00 +0200
parents d2bf9c8be3a3
children
line wrap: on
line source

local host = module.host;
local log = module._log;
local new_sasl = require "util.sasl".new;
local base64 = require "util.encodings".base64.encode;

local provider = {};

local oauth_client_id = module:get_option_string("oauth_client_id",  "");
local oauth_client_secret = module:get_option_string("oauth_client_secret",  "");
local oauth_url = module:get_option_string("oauth_url",  "");

if oauth_client_id == "" then error("oauth_client_id required") end
if oauth_client_secret == "" then error("oauth_client_secret required") end
if oauth_url == "" then error("oauth_url required") end

-- globals required by socket.http
if rawget(_G, "PROXY") == nil then
	rawset(_G, "PROXY", false)
end
if rawget(_G, "base_parsed") == nil then
	rawset(_G, "base_parsed", false)
end

local function interp(s, tab)
	-- String interpolation, so that we can make the oauth_url configurable
	-- e.g. oauth_url = "https://api.github.com/applications/{{oauth_client_id}}/tokens/{{password}}";
	--
	-- See: http://lua-users.org/wiki/StringInterpolation
	return (s:gsub('(%b{})', function(w) return tab[w:sub(3, -3)] or w end))
end

function provider.test_password(username, password, realm)
	log("debug", "Testing signed OAuth2 for user %s at realm %s", username, realm);
	local https = require "ssl.https";
	local url = interp(oauth_url, {oauth_client_id = oauth_client_id, password = password});
	
	module:log("debug", "The URL is:  "..url);
	local _, code, headers, status = https.request{
		url = url,
		headers = {
			Authorization = "Basic "..base64(oauth_client_id..":"..oauth_client_secret);
		}
	};
	if type(code) == "number" and code >= 200 and code <= 299 then
		module:log("debug", "OAuth provider confirmed valid password");
		return true;
	else
		module:log("debug", "OAuth provider returned status code: "..code);
	end
	module:log("warn", "Auth failed. Invalid username/password or misconfiguration.");
	return nil;
end

function provider.users()
	return function()
		return nil;
	end
end

function provider.set_password(username, password)
	return nil, "Changing passwords not supported";
end

function provider.user_exists(username)
	return true;
end

function provider.create_user(username, password)
	return nil, "User creation not supported";
end

function provider.delete_user(username)
	return nil , "User deletion not supported";
end

function provider.get_sasl_handler()
	local supported_mechanisms = {};
	supported_mechanisms["OAUTHBEARER"] = true;
	return new_sasl(host, {
		oauthbearer = function(sasl, username, password, realm)
			return provider.test_password(username, password, realm), true;
		end,
        mechanisms = supported_mechanisms
	});
end

module:provides("auth", provider);