Mercurial > prosody-modules

view mod_sasl_oauthbearer/mod_sasl_oauthbearer.lua @ 5265:f845c218e52c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Allow revoking a token without OAuth client credentials If you have a valid token, and you're not supposed to have it, revoking it seems the most responsible thing to do with it, so it should be allowed, while if you are supposed to have it, you should also be allowed to revoke it.
author Kim Alvefur <zash@zash.se>
date Tue, 21 Mar 2023 22:02:38 +0100
parents 73ada978dabc
children
line wrap: on
line source

local s_match = string.match;
local registerMechanism = require "util.sasl".registerMechanism;
local saslprep = require "util.encodings".stringprep.saslprep;
local nodeprep = require "util.encodings".stringprep.nodeprep;
local log = require "util.logger".init("sasl");
local _ENV = nil;


local function oauthbearer(self, message)
	if not message then
		return "failure", "malformed-request";
	end

	local authorization, password = s_match(message, "^n,a=([^,]*),\1auth=Bearer ([^\1]+)");
	if not authorization then
		return "failure", "malformed-request";
	end

	local authentication = s_match(authorization, "(.-)@.*");

	-- SASLprep password and authentication
	authentication = saslprep(authentication);
	password = saslprep(password);

	if (not password) or (password == "") or (not authentication) or (authentication == "") then
		log("debug", "Username or password violates SASLprep.");
		return "failure", "malformed-request", "Invalid username or password.";
	end

	local _nodeprep = self.profile.nodeprep;
	if _nodeprep ~= false then
		authentication = (_nodeprep or nodeprep)(authentication);
		if not authentication or authentication == "" then
			return "failure", "malformed-request", "Invalid username or password."
		end
	end

	local correct, state = false, false;
    correct, state = self.profile.oauthbearer(self, authentication, password, self.realm);

	self.username = authentication
	if state == false then
		return "failure", "account-disabled";
	elseif state == nil or not correct then
		return "failure", "not-authorized", "Unable to authorize you with the authentication credentials you've sent.";
	end
	return "success";
end

registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer);