Mercurial > prosody-modules
view mod_sasl2_sm/mod_sasl2_sm.lua @ 5149:fa56ed2bacab
mod_unified_push: Add support for multiple token backends, including stoage
Now that we have ACLs by default, it is no longer necessary to be completely
stateless. On 0.12, using storage has benefits over JWT, because it does not
expose client JIDs to the push apps/services. In trunk, PASETO is stateless
and does not expose client JIDs.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Sat, 14 Jan 2023 14:31:37 +0000 |
| parents | c92c87daa09e |
| children | 92ce3859df63 |
line wrap: on
line source
local st = require "util.stanza"; local mod_smacks = module:depends("smacks"); local xmlns_sasl2 = "urn:xmpp:sasl:2"; local xmlns_sm = "urn:xmpp:sm:3"; module:depends("sasl2"); -- Advertise what we can do module:hook("advertise-sasl-features", function (event) local features = event.features; features:tag("sm", { xmlns = xmlns_sm }):up(); end); module:hook("advertise-bind-features", function (event) local features = event.features; features:tag("feature", { var = xmlns_sm }):up(); end); module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth) -- Cache action for future processing (after auth success) session.sasl2_sm_request = auth:child_with_ns(xmlns_sm); end, 100); -- SASL 2 integration (for resume) module:hook("sasl2/c2s/success", function (event) local session = event.session; local sm_request = session.sasl2_sm_request; if not sm_request then return; end session.sasl2_sm_request = nil; local sm_result; if sm_request.name ~= "resume" then return; end local resumed, err = mod_smacks.do_resume(session, sm_request); if not resumed then local h = err.context and err.context.h; sm_result = st.stanza("failed", { xmlns = xmlns_sm, h = h and ("%d"):format(h) or nil }) :add_error(err); else event.session = resumed.session; -- Update to resumed session event.session.sasl2_sm_success = resumed; -- To be called after sending final SASL response sm_result = st.stanza("resumed", { xmlns = xmlns_sm, h = ("%d"):format(event.session.handled_stanza_count); previd = resumed.id; }); end if sm_result then event.success:add_child(sm_result); end end, 110); -- Bind 2 integration (for enable) module:hook("advertise-bind-features", function (event) event.features:tag("feature", { var = xmlns_sm }):up(); end); module:hook("enable-bind-features", function (event) local sm_enable = event.request:get_child("enable", xmlns_sm); if not sm_enable then return; end local sm_result; local enabled, err = mod_smacks.do_enable(event.session, sm_enable); if not enabled then sm_result = st.stanza("failed", { xmlns = xmlns_sm }) :add_error(err); else event.session.sasl2_sm_success = enabled; -- To be called after sending final SASL response sm_result = st.stanza("enabled", { xmlns = xmlns_sm; id = enabled.id; resume = enabled.id and "1" or nil; max = enabled.resume_max; }); end event.result:add_child(sm_result); end, 100); -- Finish and/or clean up after SASL 2 completed module:hook("sasl2/c2s/success", function (event) -- The authenticate response has already been sent at this point local success = event.session.sasl2_sm_success; if success then success.finish(); -- Finish enable/resume and sync stanzas end end, -1100); module:hook("sasl2/c2s/failure", function (event) event.session.sasl2_sm_request = nil; end);