view mod_auth_http/mod_auth_http.lua @ 5518:d87d0e4a8516

mod_http_oauth2: Validate the OpenID 'prompt' parameter Without support for affecting the login and consent procedure, it seems sensible to inform the client that they can't change anything with this parameter.
author Kim Alvefur <zash@zash.se>
date Mon, 05 Jun 2023 22:19:17 +0200
parents 8862a80cbd00
children
line wrap: on
line source

-- Prosody IM
-- Copyright (C) 2008-2013 Matthew Wild
-- Copyright (C) 2008-2013 Waqas Hussain
-- Copyright (C) 2014 Kim Alvefur
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--

local new_sasl = require "util.sasl".new;
local base64 = require "util.encodings".base64.encode;
local have_async, async = pcall(require, "util.async");
local http = require "net.http";

if not have_async then
	error("Your version of Prosody does not support async and is incompatible");
end

local host = module.host;

local api_base = module:get_option_string("http_auth_url",  ""):gsub("$host", host);
if api_base == "" then error("http_auth_url required") end
api_base = api_base:gsub("/$", "");

local auth_creds = module:get_option_string("http_auth_credentials");

local method_types = {
	-- Unlisted methods default to GET
	register = "POST";
	set_password = "POST";
	remove_user = "POST";
};

local provider = {};

local function make_request(method_name, params)
	local wait, done = async.waiter();

	local method_type = method_types[method_name] or "GET";

	params.server = params.server or host;
	local encoded_params = http.formencode(params);

	local url;
	local ex = {
		method = method_type;
		headers = { Authorization = auth_creds and ("Basic "..base64(auth_creds)) or nil; };
	}
	if method_type == "POST" then
		url = api_base.."/"..method_name;
		ex.headers["Content-Type"] = "application/x-www-form-urlencoded";
		ex.body = encoded_params;
	else
		url = api_base.."/"..method_name.."?"..encoded_params;
	end

	local content, code;
	local function cb(content_, code_)
		content, code = content_, code_;
		done();
	end
	http.request(url, ex, cb);
	wait();
	return code, content;
end

function provider.test_password(username, password)
	local code, body = make_request("check_password", { user = username, pass = password });
	if code == 200 and body == "true" then
		return true;
	end
	return false;
end

function provider.users()
	return function()
		return nil;
	end
end

function provider.set_password(username, password)
	local code = make_request("set_password", { user = username, pass = password });
	if code == 200 or code == 201 or code == 204 then
		return true;
	end
	return false;
end

function provider.user_exists(username)
	local code, body = make_request("user_exists", { user = username });
	if code == 200 and body == "true" then
		return true;
	end
	return false;
end

function provider.create_user(username, password)
	local code = make_request("register", { user = username, pass = password });
	if code == 201 then
		return true;
	end
	return false;
end

function provider.delete_user(username)
	local code = make_request("remove_user", { user = username });
	if code == 200 or code == 201 or code == 204 then
		return true;
	end
	return false;
end

function provider.get_sasl_handler()
	return new_sasl(host, {
		--luacheck: ignore 212/sasl 212/realm
		plain_test = function(sasl, username, password, realm)
			return provider.test_password(username, password), true;
		end;
	});
end

module:provides("auth", provider);