-- Expose a simple servlet to handle user registrations from web pages -- via JSON. -- -- A Good chunk of the code is from mod_data_access.lua by Kim Alvefur -- aka Zash. local usermanager = require "core.usermanager"; local b64_decode = require "util.encodings".base64.decode; local json_decode = require "util.json".decode; module.host = "*" -- HTTP/BOSH Servlets need to be global. -- Pick up configuration. local set_realm_name = module:get_option("reg_servlet_realm") or "Restricted"; local throttle_time = module:get_option("reg_servlet_ttime") or false; local whitelist = module:get_option("reg_servlet_wl") or {}; local blacklist = module:get_option("reg_servlet_bl") or {}; local recent_ips = {}; -- Begin for _, ip in ipairs(whitelist) do whitelisted_ips[ip] = true; end for _, ip in ipairs(blacklist) do blacklisted_ips[ip] = true; end local function http_response(code, message, extra_headers) local response = { status = code .. " " .. message; body = message .. "\n"; } if extra_headers then response.headers = extra_headers; end return response end local function handle_req(method, body, request) if request.method ~= "POST" then return http_response(405, "Bad method...", {["Allow"] = "POST"}); end if not request.headers["authorization"] then return http_response(401, "No... No...", {["WWW-Authenticate"]='Basic realm="'.. set_realm_name ..'"'}) end local user, password = b64_decode(request.headers.authorization :match("[^ ]*$") or ""):match("([^:]*):(.*)"); user = jid_prep(user); if not user or not password then return http_response(400, "What's this..?"); end local user_node, user_host = jid_split(user) if not hosts[user_host] then return http_response(401, "Negative."); end module:log("warn", "%s is authing to submit a new user registration data", user) if not usermanager.test_password(user_node, user_host, password) then module:log("warn", "%s failed authentication", user) return http_response(401, "Who the hell are you?! Guards!"); end local req_body; pcall(function() req_body = json.decode(body) end); -- Check if user is an admin of said host if not usermanager.is_admin(user, req_body["host"]) then module:log("warn", "%s tried to submit registration data for %s but he's not an admin", user, req_body["host"]) return http_response(401, "I obey only to my masters... Have a nice day."); else -- Various sanity checks. if req_body == nil then module:log("debug", "JSON data submitted for user registration by %s failed to Decode.", user); return http_response(400, "JSON Decoding failed."); end -- Checks for both Throttling/Whitelist and Blacklist (basically copycatted from prosody's register.lua code) if blacklist[req_body["ip"]] then module:log("warn", "Attempt of reg. submission to the JSON servlet from blacklisted address: %s", req_body["ip"]); return http_response(403, "The specified address is blacklisted, sorry sorry."); end if throttle_time and not whitelist[req_body["ip"]] then if not recent_ips[req_body["ip"]] then recent_ips[req_body["ip"]] = { time = os_time(), count = 1 }; else local ip = recent_ips[req_body["ip"]]; ip.count = ip.count + 1; if os_time() - ip.time < throttle_time then ip.time = os_time(); module:log("warn", "JSON Registration request from %s has been throttled.", req_body["ip"]); return http_response(503, "Woah... How many users you want to register..? Request throttled, wait a bit and try again."); end ip.time = os_time(); end end -- We first check if the supplied username for registration is already there. if not usermanager.user_exists(req_body["username"], req_body["host"]) then usermanager.create_user(req_body["username"], req_body["password"], req_body["host"]); module:log("debug", "%s registration data submission for %s is successful", user, req_body["user"]); return http_response(200, "Done."); else module:log("debug", "%s registration data submission for %s failed (user already exists)", user, req_body["user"]); return http_response(409, "User already exists."); end end end -- Set it up! local function setup() local ports = module:get_option("reg_servlet_port") or { 9280 }; local base_name = module:get_option("reg_servlet_base") or "register_account"; local ssl_cert = module:get_option("reg_servlet_sslcert") or false; local ssl_key = module:get_option("reg_servlet_sslkey") or false; if not ssl_cert or not ssl_key then require "net.httpserver".new_from_config(ports, handle_req, { base = base_name }); else if module:get_option("reg_servlet_port") == nil then ports = { 9443 }; end require "net.httpserver".new_from_config(ports, handle_req, { ssl = { key = ssl_key, certificate = ssl_cert }, base = base_name }); end end if prosody.start_time then -- already started setup(); else prosody.events.add_handler("server-started", setup); end