view mod_register_json/register_json/mod_register_json.lua @ 5406:b86d80e21c60

mod_http_oauth2: Validate consistency of response and grant types Ensure that these correlated fields make sense per RFC 7591 ยง 2.1, even though we currently only check the response type during authorization. This could probably all be deleted if (when!) we remove the implicit grant, since then these things don't make any sense anymore.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:34:31 +0200
parents 7dbde05b48a9
children
line wrap: on
line source

-- Expose a simple token based servlet to handle user registrations from web pages
-- through Base64 encoded JSON.

-- Copyright (C) 2010 - 2013, Marco Cirillo (LW.Org)

local datamanager = datamanager
local b64_decode = require "util.encodings".base64.decode
local b64_encode = require "util.encodings".base64.encode
local http_event = require "net.http.server".fire_event
local jid_prep = require "util.jid".prep
local jid_split = require "util.jid".split
local json_decode = require "util.json".decode
local nodeprep = require "util.encodings".stringprep.nodeprep
local open, os_time, setmt, type = io.open, os.time, setmetatable, type
local sha1 = require "util.hashes".sha1
local urldecode = http.urldecode
local usermanager = usermanager
local uuid_gen = require "util.uuid".generate
local timer = require "util.timer"

module:depends("http")

-- Pick up configuration and setup stores/variables.

local auth_token = module:get_option_string("reg_servlet_auth_token")
local secure = module:get_option_boolean("reg_servlet_secure", true)
local base_path = module:get_option_string("reg_servlet_base", "/register_account/")
local throttle_time = module:get_option_number("reg_servlet_ttime", nil)
local whitelist = module:get_option_set("reg_servlet_wl", {})
local blacklist = module:get_option_set("reg_servlet_bl", {})
local fm_patterns = module:get_option("reg_servlet_filtered_mails", {})
if type(fm_patterns) ~= "table" then fm_patterns = {} end

local files_base = module.path:gsub("/[^/]+$","") .. "/template/"

local recent_ips = {}
local pending = {}
local pending_node = {}

-- Setup hashes data structure

hashes = { _index = {} }
local hashes_mt = {} ; hashes_mt.__index = hashes_mt
function hashes_mt:add(node, mail)
	local _hash = b64_encode(sha1(mail))
	if not self:exists(_hash) then
		self[_hash] = node ; self._index[node] = _hash ; self:save()
		return true
	else
		return false
	end
end
function hashes_mt:exists(hash)
	if hashes[hash] then return true else return false end
end
function hashes_mt:remove(node)
	local _hash = self._index[node]
	if _hash then
		self[_hash] = nil ; self._index[node] = nil ; self:save()
	end
end
function hashes_mt:save()
	if not datamanager.store("register_json", module.host, "hashes", hashes) then
		module:log("error", "Failed to save the mail addresses' hashes store.")
	end
end

local function check_mail(address)
	for _, pattern in ipairs(fm_patterns) do
		if address:match(pattern) then return false end
	end
	return true
end

-- Begin

local function handle(code, message) return http_event("http-error", { code = code, message = message }) end
local function http_response(event, code, message, headers)
	local response = event.response

	if headers then
		for header, data in pairs(headers) do response.headers[header] = data end
	end

	response.status_code = code
	response:send(handle(code, message))
end

local function handle_req(event)
	local request = event.request
	if secure and not request.secure then return nil end

	if request.method ~= "POST" then
		return http_response(event, 405, "Bad method.", {["Allow"] = "POST"})
	end

	local req_body
	-- We check that what we have is valid JSON wise else we throw an error...
	if not pcall(function() req_body = json_decode(b64_decode(request.body)) end) then
		module:log("debug", "Data submitted for user registration by %s failed to Decode.", user)
		return http_response(event, 400, "Decoding failed.")
	else
		-- Decode JSON data and check that all bits are there else throw an error
		if req_body["username"] == nil or req_body["password"] == nil or req_body["ip"] == nil or req_body["mail"] == nil or
		   req_body["auth_token"] == nil then
			module:log("debug", "%s supplied an insufficent number of elements or wrong elements for the JSON registration", user)
			return http_response(event, 400, "Invalid syntax.")
		end
		-- Set up variables
		local username, password, ip, mail, token = req_body.username, req_body.password, req_body.ip, req_body.mail, req_body.auth_token

		-- Check if user is an admin of said host
		if token ~= auth_token then
			module:log("warn", "%s tried to retrieve a registration token for %s@%s", request.ip, username, module.host)
			return http_response(event, 401, "Auth token is invalid! The attempt has been logged.")
		else
			-- Blacklist can be checked here.
			if blacklist:contains(ip) then
				module:log("warn", "Attempt of reg. submission to the JSON servlet from blacklisted address: %s", ip)
				return http_response(event, 403, "The specified address is blacklisted, sorry.")
			end

			if not check_mail(mail) then
				module:log("warn", "%s attempted to use a mail address (%s) matching one of the forbidden patterns.", ip, mail)
				return http_response(event, 403, "Requesting to register using this E-Mail address is forbidden, sorry.")
			end

			-- We first check if the supplied username for registration is already there.
			-- And nodeprep the username
			username = nodeprep(username)
			if not username then
				module:log("debug", "An username containing invalid characters was supplied: %s", req_body["username"])
				return http_response(event, 406, "Supplied username contains invalid characters, see RFC 6122.")
			else
				if pending_node[username] then
					module:log("warn", "%s attempted to submit a registration request but another request for that user (%s) is pending", ip, username)
					return http_response(event, 401, "Another user registration by that username is pending.")
				end

				if not usermanager.user_exists(username, module.host) then
					-- if username fails to register successive requests shouldn't be throttled until one is successful.
					if throttle_time and not whitelist:contains(ip) then
						if not recent_ips[ip] then
							recent_ips[ip] = os_time()
						else
							if os_time() - recent_ips[ip] < throttle_time then
								recent_ips[ip] = os_time()
								module:log("warn", "JSON Registration request from %s has been throttled.", req_body["ip"])
								return http_response(event, 503, "Request throttled, wait a bit and try again.")
							end
							recent_ips[ip] = os_time()
						end
					end

					local uuid = uuid_gen()
					if not hashes:add(username, mail) then
						module:log("warn", "%s (%s) attempted to register to the server with an E-Mail address we already possess the hash of.", username, ip)
						return http_response(event, 409, "The E-Mail Address provided matches the hash associated to an existing account.")
					end
					pending[uuid] = { node = username, password = password, ip = ip }
					pending_node[username] = uuid

					timer.add_task(300, function()
						if pending[uuid] then
							pending[uuid] = nil
							pending_node[username] = nil
							hashes:remove(username)
						end
					end)
					module:log("info", "%s (%s) submitted a registration request and is awaiting final verification", username, uuid)
					return uuid
				else
					module:log("debug", "%s registration data submission failed (user already exists)", username)
					return http_response(event, 409, "User already exists.")
				end
			end
		end
	end
end

local function open_file(file)
	local f, err = open(file, "rb");
	if not f then return nil end

	local data = f:read("*a") ; f:close()
	return data
end

local function r_template(event, type)
	local data = open_file(files_base..type.."_t.html")
	if data then
		data = data:gsub("%%REG%-URL", base_path.."verify/")
		return data
	else return http_response(event, 500, "Failed to obtain template.") end
end

local function handle_verify(event, path)
	local request = event.request
	local body = request.body
	if secure and not request.secure then return nil end

	local valid_files = {
		["css/style.css"] = files_base.."css/style.css",
		["images/tile.png"] = files_base.."images/tile.png",
		["images/header.png"] = files_base.."images/header.png"
	}

	if request.method == "GET" then
		if path == "" then
			return r_template(event, "form")
		end

		if valid_files[path] then
			local data = open_file(valid_files[path])
			if data then return data
			else return http_response(event, 404, "Not found.") end
		end
	elseif request.method == "POST" then
		if path == "" then
			if not body then return http_response(event, 400, "Bad Request.") end
			local uuid = urldecode(body):match("^uuid=(.*)$")

			if not pending[uuid] then
				return r_template(event, "fail")
			else
				local username, password, ip =
				      pending[uuid].node, pending[uuid].password, pending[uuid].ip

				local ok, error = usermanager.create_user(username, password, module.host)
				if ok then
					module:fire_event(
						"user-registered",
						{ username = username, host = module.host, source = "mod_register_json", session = { ip = ip } }
					)
					module:log("info", "Account %s@%s is successfully verified and activated", username, module.host)
					-- we shall not clean the user from the pending lists as long as registration doesn't succeed.
					pending[uuid] = nil ; pending_node[username] = nil
					return r_template(event, "success")
				else
					module:log("error", "User creation failed: "..error)
					return http_response(event, 500, "Encountered server error while creating the user: "..error)
				end
			end
		end
	else
		return http_response(event, 405, "Invalid method.")
	end
end

local function handle_user_deletion(event)
	local user, hostname = event.username, event.host
	if hostname == module.host then hashes:remove(user) end
end

-- Set it up!

hashes = datamanager.load("register_json", module.host, "hashes") or hashes ; setmt(hashes, hashes_mt)

module:provides("http", {
	default_path = base_path,
        route = {
                ["GET /"] = handle_req,
		["POST /"] = handle_req,
		["GET /verify/*"] = handle_verify,
		["POST /verify/*"] = handle_verify
        }
})

module:hook_global("user-deleted", handle_user_deletion, 10);

-- Reloadability

module.save = function() return { hashes = hashes } end
module.restore = function(data) hashes = data.hashes or { _index = {} } ; setmt(hashes, hashes_mt) end