prosody-modules
a0d77b427d50
mod_rest/mod_rest.lua
Software / code / prosody-modules
Comparison
mod_rest/mod_rest.lua @ 5993:a0d77b427d50
mod_rest: Wrap mod_tokenauth errors
In some cases of expired or invalid tokens the error from
mod_tokenauth.get_token_session() was returned bare with status 200
instead of via the error formatting handler.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 21 Sep 2024 21:10:45 +0200 |
| parent | 5981:eef6cb08f9e7 |
| child | 6206:ac7e2992fe6e |
comparison
equal
deleted
inserted
replaced
| 5992:bdfb0ed56399 | 5993:a0d77b427d50 |
|---|---|
| 49 iq_tags = { code = 422; type = "modify"; condition = "bad-format"; text = "'iq' stanza must have exactly one child tag" }; | 49 iq_tags = { code = 422; type = "modify"; condition = "bad-format"; text = "'iq' stanza must have exactly one child tag" }; |
| 50 mediatype = { code = 415; type = "cancel"; condition = "bad-format"; text = "Unsupported media type" }; | 50 mediatype = { code = 415; type = "cancel"; condition = "bad-format"; text = "Unsupported media type" }; |
| 51 size = { code = 413; type = "modify"; condition = "resource-constraint", text = "Payload too large" }; | 51 size = { code = 413; type = "modify"; condition = "resource-constraint", text = "Payload too large" }; |
| 52 }); | 52 }); |
| 53 | 53 |
| 54 local token_session_errors = errors.init("mod_tokenauth", { | |
| 55 ["internal-error"] = { code = 500; type = "wait"; condition = "internal-server-error" }; | |
| 56 ["invalid-token-format"] = { code = 403; type = "auth"; condition = "not-authorized"; text = "Credentials malformed" }; | |
| 57 ["not-authorized"] = { code = 403; type = "auth"; condition = "not-authorized"; text = "Credentials not accepted" }; | |
| 58 }); | |
| 59 | |
| 54 local function check_credentials(request) -- > session | boolean, error | 60 local function check_credentials(request) -- > session | boolean, error |
| 55 local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$"); | 61 local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$"); |
| 56 auth_type = auth_type and auth_type:lower(); | 62 auth_type = auth_type and auth_type:lower(); |
| 57 if not (auth_type and auth_data) or not auth_mechanisms:contains(auth_type) then | 63 if not (auth_type and auth_data) or not auth_mechanisms:contains(auth_type) then |
| 58 return nil, post_errors.new("noauthz", { request = request }); | 64 return nil, post_errors.new("noauthz", { request = request }); |
| 75 return false, post_errors.new("unauthz", { request = request }); | 81 return false, post_errors.new("unauthz", { request = request }); |
| 76 end | 82 end |
| 77 return { username = username; host = module.host }; | 83 return { username = username; host = module.host }; |
| 78 elseif auth_type == "bearer" then | 84 elseif auth_type == "bearer" then |
| 79 if tokens.get_token_session then | 85 if tokens.get_token_session then |
| 80 return tokens.get_token_session(auth_data); | 86 local token_session, err = tokens.get_token_session(auth_data); |
| 87 if not token_session then | |
| 88 return false, token_session_errors.new(err or "not-authorized", { request = request }); | |
| 89 end | |
| 90 return token_session; | |
| 81 else -- COMPAT w/0.12 | 91 else -- COMPAT w/0.12 |
| 82 local token_info = tokens.get_token_info(auth_data); | 92 local token_info = tokens.get_token_info(auth_data); |
| 83 if not token_info or not token_info.session then | 93 if not token_info or not token_info.session then |
| 84 return false, post_errors.new("unauthz", { request = request }); | 94 return false, post_errors.new("unauthz", { request = request }); |
| 85 end | 95 end |
