Software /
code /
prosody-modules
Comparison
mod_pubsub_post/mod_pubsub_post.lua @ 3501:1df139b157fb
mod_pubsub_post: Add support for WebSub authentication
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 24 Aug 2018 14:52:09 +0200 |
parent | 3255:64d1dfbd1740 |
child | 3503:882180b459a0 |
comparison
equal
deleted
inserted
replaced
3500:e86315c9b5c4 | 3501:1df139b157fb |
---|---|
3 local st = require "util.stanza"; | 3 local st = require "util.stanza"; |
4 local json = require "util.json"; | 4 local json = require "util.json"; |
5 local xml = require "util.xml"; | 5 local xml = require "util.xml"; |
6 local uuid_generate = require "util.uuid".generate; | 6 local uuid_generate = require "util.uuid".generate; |
7 local timestamp_generate = require "util.datetime".datetime; | 7 local timestamp_generate = require "util.datetime".datetime; |
8 local hashes = require "util.hashes"; | |
9 local from_hex = require "util.hex".from; | |
10 local hmacs = { | |
11 sha1 = hashes.hmac_sha1; | |
12 sha256 = hashes.hmac_sha256; | |
13 sha384 = hashes.hmac_sha384; | |
14 sha512 = hashes.hmac_sha512; | |
15 }; | |
8 | 16 |
9 local pubsub_service = module:depends("pubsub").service; | 17 local pubsub_service = module:depends("pubsub").service; |
10 | 18 |
11 local error_mapping = { | 19 local error_mapping = { |
12 ["forbidden"] = 403; | 20 ["forbidden"] = 403; |
66 return publish_payload(node, actor, "current", xmlpayload); | 74 return publish_payload(node, actor, "current", xmlpayload); |
67 end | 75 end |
68 end | 76 end |
69 | 77 |
70 local actor_source = module:get_option_string("pubsub_post_actor", "superuser"); | 78 local actor_source = module:get_option_string("pubsub_post_actor", "superuser"); |
79 local actor_secret = module:get_option_string("pubsub_post_secret"); | |
80 local actor_secrets = module:get_option("pubsub_post_secrets"); | |
81 | |
82 local function verify_signature(secret, body, signature) | |
83 if not signature then return false; end | |
84 local algo, digest = signature:match("^([^=]+)=(%x+)"); | |
85 if not algo then return false; end | |
86 local hmac = hmacs[algo]; | |
87 if not algo then return false; end | |
88 return hmac(secret, body) == from_hex(digest); | |
89 end | |
71 | 90 |
72 function handle_POST(event, path) | 91 function handle_POST(event, path) |
73 local request = event.request; | 92 local request = event.request; |
74 module:log("debug", "Handling POST: \n%s\n", tostring(request.body)); | 93 module:log("debug", "Handling POST: \n%s\n", tostring(request.body)); |
75 | 94 |
76 local content_type = request.headers.content_type or "application/octet-stream"; | 95 local content_type = request.headers.content_type or "application/octet-stream"; |
77 local actor; | 96 local actor; |
97 | |
98 local secret = actor_secrets and actor_secrets[path] or actor_secret; | |
99 if secret and not verify_signature(secret, request.body, request.headers.x_hub_signature) then | |
100 return 401; | |
101 end | |
78 | 102 |
79 if actor_source == "request.ip" then | 103 if actor_source == "request.ip" then |
80 actor = request.ip or request.conn:ip(); | 104 actor = request.ip or request.conn:ip(); |
81 elseif actor_source == "superuser" then | 105 elseif actor_source == "superuser" then |
82 actor = true; | 106 actor = true; |