prosody-modules
a49d73e4262e
mod_http_oauth2/mod_http_oauth2.lua
Software / code / prosody-modules
Comparison
mod_http_oauth2/mod_http_oauth2.lua @ 5510:a49d73e4262e
mod_http_oauth2: Add client verification wrapper function
Fixes the weird ok, data return format from util.jit, but the real
reason is to add some preparation steps here.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 02 Jun 2023 10:12:46 +0200 |
| parent | 5509:ae007be8a6bd |
| child | 5511:0860497152af |
comparison
equal
deleted
inserted
replaced
| 5509:ae007be8a6bd | 5510:a49d73e4262e |
|---|---|
| 95 -- Tie it to the host if global | 95 -- Tie it to the host if global |
| 96 verification_key = hashes.hmac_sha256(registration_key, module.host); | 96 verification_key = hashes.hmac_sha256(registration_key, module.host); |
| 97 sign_client, verify_client = jwt.init(registration_algo, registration_key, registration_key, registration_options); | 97 sign_client, verify_client = jwt.init(registration_algo, registration_key, registration_key, registration_options); |
| 98 end | 98 end |
| 99 | 99 |
| 100 -- verify and prepare client structure | |
| 101 local function check_client(client_id) | |
| 102 if not verify_client then | |
| 103 return nil, "client-registration-not-enabled"; | |
| 104 end | |
| 105 | |
| 106 local ok, client = verify_client(client_id); | |
| 107 if not ok then return ok, client; end | |
| 108 return client; | |
| 109 end | |
| 110 | |
| 100 -- scope : string | array | set | 111 -- scope : string | array | set |
| 101 -- | 112 -- |
| 102 -- at each step, allow the same or a subset of scopes | 113 -- at each step, allow the same or a subset of scopes |
| 103 -- (all ( client ( grant ( token ) ) )) | 114 -- (all ( client ( grant ( token ) ) )) |
| 104 -- preserve order since it determines role if more than one granted | 115 -- preserve order since it determines role if more than one granted |
| 407 if params.scope and params.scope ~= "" then | 418 if params.scope and params.scope ~= "" then |
| 408 -- FIXME allow a subset of granted scopes | 419 -- FIXME allow a subset of granted scopes |
| 409 return oauth_error("invalid_scope", "unknown scope requested"); | 420 return oauth_error("invalid_scope", "unknown scope requested"); |
| 410 end | 421 end |
| 411 | 422 |
| 412 local client_ok, client = verify_client(params.client_id); | 423 local client = check_client(params.client_id); |
| 413 if not client_ok then | 424 if not client then |
| 414 return oauth_error("invalid_client", "incorrect credentials"); | 425 return oauth_error("invalid_client", "incorrect credentials"); |
| 415 end | 426 end |
| 416 | 427 |
| 417 if not verify_client_secret(params.client_id, params.client_secret) then | 428 if not verify_client_secret(params.client_id, params.client_secret) then |
| 418 module:log("debug", "client_secret mismatch"); | 429 module:log("debug", "client_secret mismatch"); |
| 442 function grant_type_handlers.refresh_token(params) | 453 function grant_type_handlers.refresh_token(params) |
| 443 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | 454 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
| 444 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end | 455 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end |
| 445 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end | 456 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end |
| 446 | 457 |
| 447 local client_ok, client = verify_client(params.client_id); | 458 local client = check_client(params.client_id); |
| 448 if not client_ok then | 459 if not client then |
| 449 return oauth_error("invalid_client", "incorrect credentials"); | 460 return oauth_error("invalid_client", "incorrect credentials"); |
| 450 end | 461 end |
| 451 | 462 |
| 452 if not verify_client_secret(params.client_id, params.client_secret) then | 463 if not verify_client_secret(params.client_id, params.client_secret) then |
| 453 module:log("debug", "client_secret mismatch"); | 464 module:log("debug", "client_secret mismatch"); |
| 702 | 713 |
| 703 if not params.client_id then | 714 if not params.client_id then |
| 704 return render_error(oauth_error("invalid_request", "Missing 'client_id' parameter")); | 715 return render_error(oauth_error("invalid_request", "Missing 'client_id' parameter")); |
| 705 end | 716 end |
| 706 | 717 |
| 707 local ok, client = verify_client(params.client_id); | 718 local client = check_client(params.client_id); |
| 708 | 719 |
| 709 if not ok then | 720 if not client then |
| 710 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter")); | 721 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter")); |
| 711 end | 722 end |
| 712 | 723 |
| 713 local redirect_uri = get_redirect_uri(client, params.redirect_uri); | 724 local redirect_uri = get_redirect_uri(client, params.redirect_uri); |
| 714 if not redirect_uri then | 725 if not redirect_uri then |
