Annotate

mod_auth_http_cookie/mod_auth_http_cookie.lua @ 5255:001c8fdc91a4

mod_http_oauth2: Add support for the "openid" scope This "openid" scope is there to signal access to the userinfo endpoint, which is needed for OIDC support. We don't actually check this later because the userinfo endpoint only returns info embedded in the token itself, but in the future we may want to check this more carefully.
author Kim Alvefur <zash@zash.se>
date Thu, 16 Mar 2023 17:06:35 +0100
parent 3224:b7aa8630438e
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3037
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 -- Prosody IM
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 -- Copyright (C) 2008-2013 Matthew Wild
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 -- Copyright (C) 2008-2013 Waqas Hussain
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 -- Copyright (C) 2014 Kim Alvefur
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5 --
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 -- This project is MIT/X11 licensed. Please see the
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7 -- COPYING file in the source package for more information.
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 --
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 local new_sasl = require "util.sasl".new;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 local base64 = require "util.encodings".base64.encode;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12 local have_async, async = pcall(require, "util.async");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 local nodeprep = require "util.encodings".stringprep.nodeprep;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 local log = module._log;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 local host = module.host;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19 local password_auth_url = module:get_option_string("http_auth_url", ""):gsub("$host", host);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 local cookie_auth_url = module:get_option_string("http_cookie_auth_url");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 if cookie_auth_url then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 cookie_auth_url = cookie_auth_url:gsub("$host", host);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 local external_needs_authzid = cookie_auth_url and cookie_auth_url:match("$user");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 if password_auth_url == "" and not cookie_auth_url then error("http_auth_url or http_cookie_auth_url required") end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 local provider = {};
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33 -- globals required by socket.http
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34 if rawget(_G, "PROXY") == nil then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 rawset(_G, "PROXY", false)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37 if rawget(_G, "base_parsed") == nil then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38 rawset(_G, "base_parsed", false)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
39 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40 if not have_async then -- FINE! Set your globals then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
41 prosody.unlock_globals()
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
42 require "ltn12"
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 require "socket"
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
44 require "socket.http"
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
45 require "ssl.https"
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
46 prosody.lock_globals()
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
47 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
49 local function async_http_request(url, headers)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50 module:log("debug", "async_http_auth()");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51 local http = require "net.http";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52 local wait, done = async.waiter();
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
53 local content, code, request, response;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
54 local ex = {
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
55 headers = headers;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
56 }
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
57 local function cb(content_, code_, request_, response_)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
58 content, code, request, response = content_, code_, request_, response_;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
59 done();
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
60 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
61 http.request(url, ex, cb);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
62 wait();
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
63 log("debug", "response code %s", tostring(code));
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
64 if code >= 200 and code <= 299 then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
65 return true, content;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
66 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
67 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
68 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
69
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
70 local function sync_http_request(url, headers)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
71 module:log("debug", "sync_http_auth()");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
72 require "ltn12";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
73 local http = require "socket.http";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
74 local https = require "ssl.https";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
75 local request;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
76 if string.sub(url, 1, string.len('https')) == 'https' then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
77 request = https.request;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
78 else
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
79 request = http.request;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
80 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
81 local body_chunks = {};
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
82 local _, code, headers, status = request{
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
83 url = url,
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
84 headers = headers;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
85 sink = ltn12.sink.table(body_chunks);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
86 };
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
87 log("debug", "response code %s %s", type(code), tostring(code));
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
88 if type(code) == "number" and code >= 200 and code <= 299 then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
89 log("debug", "success")
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
90 return true, table.concat(body_chunks);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
91 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
92 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
93 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
94
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
95 local http_request = have_async and async_http_request or sync_http_request;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
96
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
97 function http_test_password(username, password)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
98 local url = password_auth_url:gsub("$user", username):gsub("$password", password);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
99 log("debug", "Testing password for user %s at host %s with URL %s", username, host, url);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
100 local ok = (http_request(url, { Authorization = "Basic "..base64(username..":"..password); }));
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
101 if not ok then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
102 return nil, "not authorized";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
103 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
104 return true;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
105 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
106
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
107 function http_test_cookie(cookie, username)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
108 local url = external_needs_authzid and cookie_auth_url:gsub("$user", username) or cookie_auth_url;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
109 log("debug", "Testing cookie auth for user %s at host %s with URL %s", username or "<unknown>", host, url);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
110 local ok, resp = http_request(url, { Cookie = cookie; });
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
111 if not ok then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
112 return nil, "not authorized";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
113 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
114
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
115 return external_needs_authzid or resp;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
116 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
117
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
118 function provider.test_password(username, password)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
119 return http_test_password(username, password);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
120 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
121
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
122 function provider.users()
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
123 return function()
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
124 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
125 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
126 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
127
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
128 function provider.set_password(username, password)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
129 return nil, "Changing passwords not supported";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
130 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
131
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
132 function provider.user_exists(username)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
133 return true;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
134 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
135
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
136 function provider.create_user(username, password)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
137 return nil, "User creation not supported";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
138 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
139
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
140 function provider.delete_user(username)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
141 return nil , "User deletion not supported";
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
142 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
143
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
144 local function get_session_cookies(session)
3224
b7aa8630438e mod_auth_http_cookie: Also try to get HTTP request from WebSocket session
Kim Alvefur <zash@zash.se>
parents: 3223
diff changeset
145 local request = session.websocket_request; -- WebSockets
b7aa8630438e mod_auth_http_cookie: Also try to get HTTP request from WebSocket session
Kim Alvefur <zash@zash.se>
parents: 3223
diff changeset
146 if not request and session.requests then -- BOSH
b7aa8630438e mod_auth_http_cookie: Also try to get HTTP request from WebSocket session
Kim Alvefur <zash@zash.se>
parents: 3223
diff changeset
147 request = session.requests[1];
3223
9a89ec5030b5 mod_auth_http_cookie: Try to get HTTP request from array on BOSH sessions
Kim Alvefur <zash@zash.se>
parents: 3037
diff changeset
148 end
9a89ec5030b5 mod_auth_http_cookie: Try to get HTTP request from array on BOSH sessions
Kim Alvefur <zash@zash.se>
parents: 3037
diff changeset
149 if not request and session.conn._http_open_response then -- Fallback BOSH
9a89ec5030b5 mod_auth_http_cookie: Try to get HTTP request from array on BOSH sessions
Kim Alvefur <zash@zash.se>
parents: 3037
diff changeset
150 local response = session.conn._http_open_response;
9a89ec5030b5 mod_auth_http_cookie: Try to get HTTP request from array on BOSH sessions
Kim Alvefur <zash@zash.se>
parents: 3037
diff changeset
151 request = response and response.request;
9a89ec5030b5 mod_auth_http_cookie: Try to get HTTP request from array on BOSH sessions
Kim Alvefur <zash@zash.se>
parents: 3037
diff changeset
152 end
3037
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
153 if request then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
154 return request.headers.cookie;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
155 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
156 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
157
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
158 function provider.get_sasl_handler(session)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
159 local cookie = cookie_auth_url and get_session_cookies(session);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
160 log("debug", "Request cookie: %s", cookie);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
161 return new_sasl(host, {
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
162 plain_test = function(sasl, username, password, realm)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
163 return provider.test_password(username, password), true;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
164 end;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
165 external = cookie and function (authzid)
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
166 if external_needs_authzid then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
167 -- Authorize the username provided by the client, using request cookie
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
168 if authzid ~= "" then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
169 module:log("warn", "Client requested authzid, but cookie auth URL does not contain $user variable");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
170 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
171 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
172 local success = http_test_cookie(cookie);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
173 if not success then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
174 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
175 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
176 return nodeprep(authzid), true;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
177 else
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
178 -- Authorize client using request cookie, username comes from auth server
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
179 if authzid == "" then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
180 module:log("warn", "Client did not provide authzid, but cookie auth URL contains $user variable");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
181 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
182 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
183 local unprepped_username = http_test_cookie(cookie, nodeprep(authzid));
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
184 local username = nodeprep(unprepped_username);
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
185 if not username then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
186 if unprepped_username then
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
187 log("warn", "Username supplied by cookie_auth_url is not valid for XMPP");
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
188 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
189 return nil;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
190 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
191 return username, true;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
192 end;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
193 end;
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
194 });
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
195 end
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
196
bae7b0a002ef mod_auth_http_cookie: Possibly temporary fork of mod_http_auth_async that adds cookie auth support
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
197 module:provides("auth", provider);