prosody-modules
d3ebaef1ea7a
mod_sasl_oauthbearer/mod_sasl_oauthbearer.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Annotate

mod_sasl_oauthbearer/mod_sasl_oauthbearer.lua @ 5264:d3ebaef1ea7a

mod_http_oauth2: Correctly verify OAuth client credentials on revocation Makes no sense to validate against username and password here, or using a token to revoke another token, or itself? In fact, upon further discussion, why do you need credentials to revoke a token? If you are not supposed to have the token, revoking it seems the most responsible thing to do with it, so it should be allowed, while if you are supposed to have it, you should be allowed to revoke it.
author Kim Alvefur <zash@zash.se>
date Tue, 21 Mar 2023 21:57:18 +0100
parent 3114:73ada978dabc
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3114
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
1 local s_match = string.match;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
2 local registerMechanism = require "util.sasl".registerMechanism;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
3 local saslprep = require "util.encodings".stringprep.saslprep;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
4 local nodeprep = require "util.encodings".stringprep.nodeprep;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
5 local log = require "util.logger".init("sasl");
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
6 local _ENV = nil;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
7
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
8
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
9 local function oauthbearer(self, message)
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
10 if not message then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
11 return "failure", "malformed-request";
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
12 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
13
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
14 local authorization, password = s_match(message, "^n,a=([^,]*),\1auth=Bearer ([^\1]+)");
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
15 if not authorization then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
16 return "failure", "malformed-request";
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
17 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
18
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
19 local authentication = s_match(authorization, "(.-)@.*");
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
20
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
21 -- SASLprep password and authentication
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
22 authentication = saslprep(authentication);
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
23 password = saslprep(password);
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
24
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
25 if (not password) or (password == "") or (not authentication) or (authentication == "") then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
26 log("debug", "Username or password violates SASLprep.");
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
27 return "failure", "malformed-request", "Invalid username or password.";
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
28 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
29
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
30 local _nodeprep = self.profile.nodeprep;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
31 if _nodeprep ~= false then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
32 authentication = (_nodeprep or nodeprep)(authentication);
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
33 if not authentication or authentication == "" then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
34 return "failure", "malformed-request", "Invalid username or password."
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
35 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
36 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
37
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
38 local correct, state = false, false;
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
39 correct, state = self.profile.oauthbearer(self, authentication, password, self.realm);
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
40
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
41 self.username = authentication
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
42 if state == false then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
43 return "failure", "account-disabled";
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
44 elseif state == nil or not correct then
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
45 return "failure", "not-authorized", "Unable to authorize you with the authentication credentials you've sent.";
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
46 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
47 return "success";
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
48 end
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
49
73ada978dabc mod_sasl_oauthbearer and mod_auth_oauthbearer
JC Brand <jc@opkode.com>
parents:
diff changeset
50 registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer);