Comparison

mod_auth_token/token_auth_utils.lib.lua @ 3472:ac1f63cdb6d6

mod_auth_token: Check realm against module.host
author JC Brand <jc@opkode.com>
date Thu, 28 Feb 2019 12:31:54 +0100
parent 2956:d0ca211e1b0e
child 3568:6b3181fe5617
comparison
equal deleted inserted replaced
3471:b4bcb84997e7 3472:ac1f63cdb6d6
34 end 34 end
35 end 35 end
36 36
37 37
38 function verify_token(username, password, realm, otp_seed, token_secret, log) 38 function verify_token(username, password, realm, otp_seed, token_secret, log)
39 if (realm ~= module.host) then
40 log("debug", "Verification failed: realm ~= module.host");
41 return false;
42 end
43
39 local totp = otp.new_totp_from_key(otp_seed, OTP_DIGITS, OTP_INTERVAL) 44 local totp = otp.new_totp_from_key(otp_seed, OTP_DIGITS, OTP_INTERVAL)
40 local token = string.match(password, "(%d+) ") 45 local token = string.match(password, "(%d+) ")
41 local otp = token:sub(1,8) 46 local otp = token:sub(1,8)
42 local nonce = token:sub(9) 47 local nonce = token:sub(9)
43 local signature = base64.decode(string.match(password, " (.+)")) 48 local signature = base64.decode(string.match(password, " (.+)"))
44 local jid = username.."@"..realm 49 local jid = username.."@"..realm
45 50
46 if totp:verify(otp, OTP_DEVIATION, luatz.gmtime(luatz.time())) then 51 if totp:verify(otp, OTP_DEVIATION, luatz.gmtime(luatz.time())) then
47 -- log("debug", "**** THE OTP WAS VERIFIED ****** "); 52 log("debug", "The TOTP was verified");
48 local hmac_ctx = hmac.new(token_secret, DIGEST_TYPE) 53 local hmac_ctx = hmac.new(token_secret, DIGEST_TYPE)
49 if signature == hmac_ctx:final(otp..nonce..jid) then 54 if signature == hmac_ctx:final(otp..nonce..jid) then
50 -- log("debug", "**** THE KEY WAS VERIFIED ****** "); 55 log("debug", "The key was verified");
51 if check_nonce(jid, otp, nonce) then 56 if check_nonce(jid, otp, nonce) then
52 -- log("debug", "**** THE NONCE WAS VERIFIED ****** "); 57 log("debug", "The nonce was verified");
53 return true; 58 return true;
54 end 59 end
55 end 60 end
56 end 61 end
57 -- log("debug", "**** VERIFICATION FAILED ****** "); 62 log("debug", "Verification failed");
58 return false; 63 return false;
59 end 64 end
60 65
61 return { 66 return {
62 OTP_DEVIATION = OTP_DIGITS, 67 OTP_DEVIATION = OTP_DIGITS,