# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1673628108 0
# Node ID 658658ea932360703f110e4dd92fa49f7aed76b0
# Parent  a86022d702b2232e3bbff9b48fb8d53b92a42a9e
mod_unified_push: Add ACL option to restrict access

It defaults to the current host if on a VirtualHost, or parent host if a
component.

diff -r a86022d702b2 -r 658658ea9323 mod_unified_push/mod_unified_push.lua
--- a/mod_unified_push/mod_unified_push.lua	Fri Jan 13 16:40:00 2023 +0000
+++ b/mod_unified_push/mod_unified_push.lua	Fri Jan 13 16:41:48 2023 +0000
@@ -15,6 +15,19 @@
 
 module:add_feature(xmlns_up);
 
+local acl = module:get_option_set("unified_push_acl", {
+	module:get_host_type() == "local" and module.host or module.host:match("^[^%.]%.(.+)$")
+});
+
+local function is_jid_permitted(user_jid)
+	for acl_entry in acl do
+		if jid.compare(user_jid, acl_entry) then
+			return true;
+		end
+	end
+	return false;
+end
+
 local function check_sha256(s)
 	if not s then return nil, "no value provided"; end
 	local d = base64.decode(s);
@@ -44,6 +57,9 @@
 -- Handle incoming registration from XMPP client
 function handle_register(event)
 	local origin, stanza = event.origin, event.stanza;
+	if not is_jid_permitted(stanza.attr.from) then
+		return st.error_reply(stanza, "auth", "forbidden");
+	end
 	local instance, instance_err = check_sha256(stanza.tags[1].attr.instance);
 	if not instance then
 		return st.error_reply(stanza, "modify", "bad-request", "instance: "..instance_err);