Mercurial > prosody-modules

view mod_auth_http/mod_auth_http.lua @ 4651:8231774f5bfd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_cloud_notify_encrypted: Ensure body substring remains valid UTF-8 The `body:sub()` call risks splitting the string in the middle of a multi-byte UTF-8 sequence. This should have been caught by util.stanza validation, but that would have caused some havoc, at the very least causing the notification to not be sent. There have been no reports of this happening. Likely because this module isn't widely deployed among users with languages that use many longer UTF-8 sequences. The util.encodings.utf8.valid() function is O(n) where only the last sequence really needs to be checked, but it's in C and expected to be fast.
author Kim Alvefur <zash@zash.se>
date Sun, 22 Aug 2021 13:22:59 +0200
parents 8862a80cbd00
children
line wrap: on
line source

-- Prosody IM
-- Copyright (C) 2008-2013 Matthew Wild
-- Copyright (C) 2008-2013 Waqas Hussain
-- Copyright (C) 2014 Kim Alvefur
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--

local new_sasl = require "util.sasl".new;
local base64 = require "util.encodings".base64.encode;
local have_async, async = pcall(require, "util.async");
local http = require "net.http";

if not have_async then
	error("Your version of Prosody does not support async and is incompatible");
end

local host = module.host;

local api_base = module:get_option_string("http_auth_url",  ""):gsub("$host", host);
if api_base == "" then error("http_auth_url required") end
api_base = api_base:gsub("/$", "");

local auth_creds = module:get_option_string("http_auth_credentials");

local method_types = {
	-- Unlisted methods default to GET
	register = "POST";
	set_password = "POST";
	remove_user = "POST";
};

local provider = {};

local function make_request(method_name, params)
	local wait, done = async.waiter();

	local method_type = method_types[method_name] or "GET";

	params.server = params.server or host;
	local encoded_params = http.formencode(params);

	local url;
	local ex = {
		method = method_type;
		headers = { Authorization = auth_creds and ("Basic "..base64(auth_creds)) or nil; };
	}
	if method_type == "POST" then
		url = api_base.."/"..method_name;
		ex.headers["Content-Type"] = "application/x-www-form-urlencoded";
		ex.body = encoded_params;
	else
		url = api_base.."/"..method_name.."?"..encoded_params;
	end

	local content, code;
	local function cb(content_, code_)
		content, code = content_, code_;
		done();
	end
	http.request(url, ex, cb);
	wait();
	return code, content;
end

function provider.test_password(username, password)
	local code, body = make_request("check_password", { user = username, pass = password });
	if code == 200 and body == "true" then
		return true;
	end
	return false;
end

function provider.users()
	return function()
		return nil;
	end
end

function provider.set_password(username, password)
	local code = make_request("set_password", { user = username, pass = password });
	if code == 200 or code == 201 or code == 204 then
		return true;
	end
	return false;
end

function provider.user_exists(username)
	local code, body = make_request("user_exists", { user = username });
	if code == 200 and body == "true" then
		return true;
	end
	return false;
end

function provider.create_user(username, password)
	local code = make_request("register", { user = username, pass = password });
	if code == 201 then
		return true;
	end
	return false;
end

function provider.delete_user(username)
	local code = make_request("remove_user", { user = username });
	if code == 200 or code == 201 or code == 204 then
		return true;
	end
	return false;
end

function provider.get_sasl_handler()
	return new_sasl(host, {
		--luacheck: ignore 212/sasl 212/realm
		plain_test = function(sasl, username, password, realm)
			return provider.test_password(username, password), true;
		end;
	});
end

module:provides("auth", provider);