Mercurial > prosody-modules

view mod_auth_oauthbearer/mod_auth_oauthbearer.lua @ 4980:da151f9af861

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
replaced 'session' with 'origin' in push_disable session is not defined in this function, trying to access it leads to an error. The correct reference seems to be 'origin'. (This may have come about by copying from the similar code in process_stanza_queue.)
author arcseconds
date Sat, 30 Jul 2022 21:07:47 +1200
parents d2bf9c8be3a3
children
line wrap: on
line source

local host = module.host;
local log = module._log;
local new_sasl = require "util.sasl".new;
local base64 = require "util.encodings".base64.encode;

local provider = {};

local oauth_client_id = module:get_option_string("oauth_client_id",  "");
local oauth_client_secret = module:get_option_string("oauth_client_secret",  "");
local oauth_url = module:get_option_string("oauth_url",  "");

if oauth_client_id == "" then error("oauth_client_id required") end
if oauth_client_secret == "" then error("oauth_client_secret required") end
if oauth_url == "" then error("oauth_url required") end

-- globals required by socket.http
if rawget(_G, "PROXY") == nil then
	rawset(_G, "PROXY", false)
end
if rawget(_G, "base_parsed") == nil then
	rawset(_G, "base_parsed", false)
end

local function interp(s, tab)
	-- String interpolation, so that we can make the oauth_url configurable
	-- e.g. oauth_url = "https://api.github.com/applications/{{oauth_client_id}}/tokens/{{password}}";
	--
	-- See: http://lua-users.org/wiki/StringInterpolation
	return (s:gsub('(%b{})', function(w) return tab[w:sub(3, -3)] or w end))
end

function provider.test_password(username, password, realm)
	log("debug", "Testing signed OAuth2 for user %s at realm %s", username, realm);
	local https = require "ssl.https";
	local url = interp(oauth_url, {oauth_client_id = oauth_client_id, password = password});
	
	module:log("debug", "The URL is:  "..url);
	local _, code, headers, status = https.request{
		url = url,
		headers = {
			Authorization = "Basic "..base64(oauth_client_id..":"..oauth_client_secret);
		}
	};
	if type(code) == "number" and code >= 200 and code <= 299 then
		module:log("debug", "OAuth provider confirmed valid password");
		return true;
	else
		module:log("debug", "OAuth provider returned status code: "..code);
	end
	module:log("warn", "Auth failed. Invalid username/password or misconfiguration.");
	return nil;
end

function provider.users()
	return function()
		return nil;
	end
end

function provider.set_password(username, password)
	return nil, "Changing passwords not supported";
end

function provider.user_exists(username)
	return true;
end

function provider.create_user(username, password)
	return nil, "User creation not supported";
end

function provider.delete_user(username)
	return nil , "User deletion not supported";
end

function provider.get_sasl_handler()
	local supported_mechanisms = {};
	supported_mechanisms["OAUTHBEARER"] = true;
	return new_sasl(host, {
		oauthbearer = function(sasl, username, password, realm)
			return provider.test_password(username, password, realm), true;
		end,
        mechanisms = supported_mechanisms
	});
end

module:provides("auth", provider);