# HG changeset patch # User Kim Alvefur # Date 1605999310 -3600 # Node ID c539334dd01acbf319165dc6b8e97c26b05b002d # Parent 721b528c01e1377b1a9c9f3024f77a8182b51194 mod_http_oauth2: Rescope oauth client config into users' storage This produces client_id of the form owner@host/random and prevents clients from being deleted by registering an account with the same name and then deleting the account, as well as having the client automatically be deleted when the owner account is removed. On one hand, this leaks the bare JID of the creator to users. On the other hand, it makes it obvious who made the oauth application. This module is experimental and only for developers, so this can be changed if a better method comes up. diff -r 721b528c01e1 -r c539334dd01a mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sat Nov 21 23:03:47 2020 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Nov 21 23:55:10 2020 +0100 @@ -10,7 +10,7 @@ local tokens = module:depends("tokenauth"); -local clients = module:open_store("oauth2_clients"); +local clients = module:open_store("oauth2_clients", "map"); local codes = module:open_store("oauth2_codes", "map"); local function oauth_error(err_name, err_desc) @@ -60,15 +60,18 @@ return oauth_error("invalid_scope", "unknown scope requested"); end - local client, err = clients:get(params.client_id); - module:log("debug", "clients:get(%q) --> %q, %q", params.client_id, client, err); + local client_owner, client_host, client_id = jid.prepped_split(params.client_id); + if client_host ~= module.host then + return oauth_error("invalid_client", "incorrect credentials"); + end + local client, err = clients:get(client_owner, client_id); if err then error(err); end if not client then return oauth_error("invalid_client", "incorrect credentials"); end local code = uuid.generate(); - assert(codes:set(params.client_id, code, { issued = os.time(), granted_jid = granted_jid, })); + assert(codes:set(client_owner, client_id .. "#" .. code, {issued = os.time(); granted_jid = granted_jid})); local redirect = url.parse(params.redirect_uri); local query = http.formdecode(redirect.query or ""); @@ -95,18 +98,24 @@ return oauth_error("invalid_scope", "unknown scope requested"); end - local client, err = clients:get(params.client_id); - if err then error(err); end - if not client or client.secret ~= params.client_secret then + local client_owner, client_host, client_id = jid.prepped_split(params.client_id); + if client_host ~= module.host then + module:log("debug", "%q ~= %q", client_host, module.host); return oauth_error("invalid_client", "incorrect credentials"); end - local code, err = codes:get(params.client_id, params.code); + local client, err = clients:get(client_owner, client_id); + if err then error(err); end + if not client or client.client_secret ~= params.client_secret then + module:log("debug", "client_secret mismatch"); + return oauth_error("invalid_client", "incorrect credentials"); + end + local code, err = codes:get(client_owner, client_id .. "#" .. params.code); if err then error(err); end if not code or type(code) ~= "table" or os.difftime(os.time(), code.issued) > 900 then + module:log("debug", "authorization_code invalid or expired: %q", code); return oauth_error("invalid_client", "incorrect credentials"); end - assert(codes:set(params.client_id, params.code, nil)); - + assert(codes:set(client_owner, client_id .. "#" .. params.code, nil)); return json.encode(new_access_token(code.granted_jid, nil, nil)); end