view mod_sasl_oauthbearer/mod_sasl_oauthbearer.lua @ 4983:7c77058a1ac5

mod_compat_roles: New module providing compat shim for trunk's new role API The new role API is translated to is_admin() calls on older versions. On newer versions (which have the role API) this module does nothing. It allows modules to drop their use of is_admin() (which is not available in trunk) and switch to the new role API, while remaining compatible with previous Prosody versions.
author Matthew Wild <mwild1@gmail.com>
date Thu, 11 Aug 2022 17:49:33 +0100
parents 73ada978dabc
children
line wrap: on
line source

local s_match = string.match;
local registerMechanism = require "util.sasl".registerMechanism;
local saslprep = require "util.encodings".stringprep.saslprep;
local nodeprep = require "util.encodings".stringprep.nodeprep;
local log = require "util.logger".init("sasl");
local _ENV = nil;


local function oauthbearer(self, message)
	if not message then
		return "failure", "malformed-request";
	end

	local authorization, password = s_match(message, "^n,a=([^,]*),\1auth=Bearer ([^\1]+)");
	if not authorization then
		return "failure", "malformed-request";
	end

	local authentication = s_match(authorization, "(.-)@.*");

	-- SASLprep password and authentication
	authentication = saslprep(authentication);
	password = saslprep(password);

	if (not password) or (password == "") or (not authentication) or (authentication == "") then
		log("debug", "Username or password violates SASLprep.");
		return "failure", "malformed-request", "Invalid username or password.";
	end

	local _nodeprep = self.profile.nodeprep;
	if _nodeprep ~= false then
		authentication = (_nodeprep or nodeprep)(authentication);
		if not authentication or authentication == "" then
			return "failure", "malformed-request", "Invalid username or password."
		end
	end

	local correct, state = false, false;
    correct, state = self.profile.oauthbearer(self, authentication, password, self.realm);

	self.username = authentication
	if state == false then
		return "failure", "account-disabled";
	elseif state == nil or not correct then
		return "failure", "not-authorized", "Unable to authorize you with the authentication credentials you've sent.";
	end
	return "success";
end

registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer);