prosody-modules
260a859be86a
mod_http_oauth2/mod_http_oauth2.lua
Software / code / prosody-modules
Comparison
mod_http_oauth2/mod_http_oauth2.lua @ 5459:260a859be86a
mod_http_oauth2: Rename variables to improve clarity
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 17 May 2023 00:09:37 +0200 |
| parent | 5458:813fe4f76286 |
| child | 5460:c0d62c1b4424 |
comparison
equal
deleted
inserted
replaced
| 5458:813fe4f76286 | 5459:260a859be86a |
|---|---|
| 82 { default_ttl = registration_ttl; accept_expired = not registration_ttl }); | 82 { default_ttl = registration_ttl; accept_expired = not registration_ttl }); |
| 83 | 83 |
| 84 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", false); | 84 local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", false); |
| 85 | 85 |
| 86 local verification_key; | 86 local verification_key; |
| 87 local jwt_sign, jwt_verify; | 87 local sign_client, verify_client; |
| 88 if registration_key then | 88 if registration_key then |
| 89 -- Tie it to the host if global | 89 -- Tie it to the host if global |
| 90 verification_key = hashes.hmac_sha256(registration_key, module.host); | 90 verification_key = hashes.hmac_sha256(registration_key, module.host); |
| 91 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options); | 91 sign_client, verify_client = jwt.init(registration_algo, registration_key, registration_key, registration_options); |
| 92 end | 92 end |
| 93 | 93 |
| 94 -- scope : string | array | set | 94 -- scope : string | array | set |
| 95 -- | 95 -- |
| 96 -- at each step, allow the same or a subset of scopes | 96 -- at each step, allow the same or a subset of scopes |
| 372 if params.scope and params.scope ~= "" then | 372 if params.scope and params.scope ~= "" then |
| 373 -- FIXME allow a subset of granted scopes | 373 -- FIXME allow a subset of granted scopes |
| 374 return oauth_error("invalid_scope", "unknown scope requested"); | 374 return oauth_error("invalid_scope", "unknown scope requested"); |
| 375 end | 375 end |
| 376 | 376 |
| 377 local client_ok, client = jwt_verify(params.client_id); | 377 local client_ok, client = verify_client(params.client_id); |
| 378 if not client_ok then | 378 if not client_ok then |
| 379 return oauth_error("invalid_client", "incorrect credentials"); | 379 return oauth_error("invalid_client", "incorrect credentials"); |
| 380 end | 380 end |
| 381 | 381 |
| 382 if not verify_client_secret(params.client_id, params.client_secret) then | 382 if not verify_client_secret(params.client_id, params.client_secret) then |
| 407 function grant_type_handlers.refresh_token(params) | 407 function grant_type_handlers.refresh_token(params) |
| 408 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | 408 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
| 409 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end | 409 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end |
| 410 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end | 410 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end |
| 411 | 411 |
| 412 local client_ok, client = jwt_verify(params.client_id); | 412 local client_ok, client = verify_client(params.client_id); |
| 413 if not client_ok then | 413 if not client_ok then |
| 414 return oauth_error("invalid_client", "incorrect credentials"); | 414 return oauth_error("invalid_client", "incorrect credentials"); |
| 415 end | 415 end |
| 416 | 416 |
| 417 if not verify_client_secret(params.client_id, params.client_secret) then | 417 if not verify_client_secret(params.client_id, params.client_secret) then |
| 658 return error_response(request, oauth_error("invalid_request")); | 658 return error_response(request, oauth_error("invalid_request")); |
| 659 end | 659 end |
| 660 | 660 |
| 661 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | 661 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
| 662 | 662 |
| 663 local ok, client = jwt_verify(params.client_id); | 663 local ok, client = verify_client(params.client_id); |
| 664 | 664 |
| 665 if not ok then | 665 if not ok then |
| 666 return oauth_error("invalid_client", "incorrect credentials"); | 666 return oauth_error("invalid_client", "incorrect credentials"); |
| 667 end | 667 end |
| 668 | 668 |
| 884 -- Ensure each signed client_id JWT is unique, short ID and issued at | 884 -- Ensure each signed client_id JWT is unique, short ID and issued at |
| 885 -- timestamp should be sufficient to rule out brute force attacks | 885 -- timestamp should be sufficient to rule out brute force attacks |
| 886 client_metadata.nonce = id.short(); | 886 client_metadata.nonce = id.short(); |
| 887 | 887 |
| 888 -- Do we want to keep everything? | 888 -- Do we want to keep everything? |
| 889 local client_id = jwt_sign(client_metadata); | 889 local client_id = sign_client(client_metadata); |
| 890 | 890 |
| 891 client_metadata.client_id = client_id; | 891 client_metadata.client_id = client_id; |
| 892 client_metadata.client_id_issued_at = os.time(); | 892 client_metadata.client_id_issued_at = os.time(); |
| 893 | 893 |
| 894 if client_metadata.token_endpoint_auth_method ~= "none" then | 894 if client_metadata.token_endpoint_auth_method ~= "none" then |
