prosody-modules
8ceedc336d0d
mod_http_oauth2/mod_http_oauth2.lua
Software / code / prosody-modules
Comparison
mod_http_oauth2/mod_http_oauth2.lua @ 6273:8ceedc336d0d
Merge update
| author | Trần H. Trung <xmpp:trần.h.trung@trung.fun> |
|---|---|
| date | Sun, 01 Jun 2025 13:51:38 +0700 |
| parent | 6245:ea58d2893afb |
| parent | 6271:b63202d66238 |
| child | 6309:342f88e8d522 |
comparison
equal
deleted
inserted
replaced
| 6263:10a1016d1c3a | 6273:8ceedc336d0d |
|---|---|
| 397 -- via the token endpoint, so how did you get here? | 397 -- via the token endpoint, so how did you get here? |
| 398 return oauth_error("invalid_request"); | 398 return oauth_error("invalid_request"); |
| 399 end | 399 end |
| 400 | 400 |
| 401 local function make_client_secret(client_id) --> client_secret | 401 local function make_client_secret(client_id) --> client_secret |
| 402 return hashes.hmac_sha256(verification_key, client_id, true); | 402 return hashes.hmac_sha256(verification_key, client_id, true); |
| 403 end | 403 end |
| 404 | 404 |
| 405 local function verify_client_secret(client_id, client_secret) | 405 local function verify_client_secret(client_id, client_secret) |
| 406 return hashes.equals(make_client_secret(client_id), client_secret); | 406 return hashes.equals(make_client_secret(client_id), client_secret); |
| 407 end | 407 end |
| 408 | 408 |
| 409 function grant_type_handlers.password(params) | 409 function grant_type_handlers.password(params, client) |
| 410 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | |
| 411 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end | |
| 412 | |
| 413 local client = check_client(params.client_id); | |
| 414 if not client then | |
| 415 return oauth_error("invalid_client", "incorrect credentials"); | |
| 416 end | |
| 417 | |
| 418 if not verify_client_secret(params.client_id, params.client_secret) then | |
| 419 module:log("debug", "client_secret mismatch"); | |
| 420 return oauth_error("invalid_client", "incorrect credentials"); | |
| 421 end | |
| 422 | |
| 423 local request_username | 410 local request_username |
| 424 | 411 |
| 425 if expect_username_jid then | 412 if expect_username_jid then |
| 426 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)")); | 413 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)")); |
| 427 local _request_username, request_host, request_resource = jid.prepped_split(request_jid); | 414 local _request_username, request_host = jid.prepped_split(request_jid); |
| 428 | 415 |
| 429 if not (_request_username and request_host) or request_host ~= module.host then | 416 if not (_request_username and request_host) or request_host ~= module.host then |
| 430 return oauth_error("invalid_request", "invalid JID"); | 417 return oauth_error("invalid_request", "invalid JID"); |
| 431 end | 418 end |
| 432 | 419 |
| 535 location = url.build(redirect); | 522 location = url.build(redirect); |
| 536 }; | 523 }; |
| 537 } | 524 } |
| 538 end | 525 end |
| 539 | 526 |
| 540 function grant_type_handlers.authorization_code(params) | 527 function grant_type_handlers.authorization_code(params, client) |
| 541 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | |
| 542 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end | |
| 543 if not params.code then return oauth_error("invalid_request", "missing 'code'"); end | 528 if not params.code then return oauth_error("invalid_request", "missing 'code'"); end |
| 544 if params.scope and params.scope ~= "" then | 529 if params.scope and params.scope ~= "" then |
| 545 -- FIXME allow a subset of granted scopes | 530 -- FIXME allow a subset of granted scopes |
| 546 return oauth_error("invalid_scope", "unknown scope requested"); | 531 return oauth_error("invalid_scope", "unknown scope requested"); |
| 547 end | |
| 548 | |
| 549 local client = check_client(params.client_id); | |
| 550 if not client then | |
| 551 return oauth_error("invalid_client", "incorrect credentials"); | |
| 552 end | |
| 553 | |
| 554 if not verify_client_secret(params.client_id, params.client_secret) then | |
| 555 module:log("debug", "client_secret mismatch"); | |
| 556 return oauth_error("invalid_client", "incorrect credentials"); | |
| 557 end | 532 end |
| 558 local code, err = codes:get("authorization_code:" .. params.client_id .. "#" .. params.code); | 533 local code, err = codes:get("authorization_code:" .. params.client_id .. "#" .. params.code); |
| 559 if err then error(err); end | 534 if err then error(err); end |
| 560 -- MUST NOT use the authorization code more than once, so remove it to | 535 -- MUST NOT use the authorization code more than once, so remove it to |
| 561 -- prevent a second attempted use | 536 -- prevent a second attempted use |
| 882 -- client_secret_basic converted internally to client_secret_post | 857 -- client_secret_basic converted internally to client_secret_post |
| 883 params.client_id = http.urldecode(credentials.username); | 858 params.client_id = http.urldecode(credentials.username); |
| 884 params.client_secret = http.urldecode(credentials.password); | 859 params.client_secret = http.urldecode(credentials.password); |
| 885 end | 860 end |
| 886 | 861 |
| 862 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | |
| 863 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end | |
| 864 | |
| 865 local client = check_client(params.client_id); | |
| 866 if not client then | |
| 867 return oauth_error("invalid_client", "incorrect credentials"); | |
| 868 end | |
| 869 | |
| 870 if not verify_client_secret(params.client_id, params.client_secret) then | |
| 871 module:log("debug", "client_secret mismatch"); | |
| 872 return oauth_error("invalid_client", "incorrect credentials"); | |
| 873 end | |
| 874 | |
| 875 | |
| 887 local grant_type = params.grant_type | 876 local grant_type = params.grant_type |
| 888 local grant_handler = grant_type_handlers[grant_type]; | 877 local grant_handler = grant_type_handlers[grant_type]; |
| 889 if not grant_handler then | 878 if not grant_handler then |
| 890 return oauth_error("invalid_request", "No such grant type."); | 879 return oauth_error("invalid_request", "No such grant type."); |
| 891 end | 880 end |
| 892 return grant_handler(params); | 881 return grant_handler(params, client); |
| 893 end | 882 end |
| 894 | 883 |
| 895 local function handle_authorization_request(event) | 884 local function handle_authorization_request(event) |
| 896 local request = event.request; | 885 local request = event.request; |
| 897 | 886 |
