prosody-modules
c1b94dd6e53b
mod_http_oauth2/mod_http_oauth2.lua
Software / code / prosody-modules
Comparison
mod_http_oauth2/mod_http_oauth2.lua @ 6238:c1b94dd6e53b
mod_http_oauth2: Change password grant to take username instead of JID [BC]
For consistency since the other grant types do not accept JIDs
This has been like this from the beginning of this module.
Changing this breaks backwards-compatibility with anything that relied
on the JID as username, but things shouldn't really be using the
password grant anyway as it is insecure.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 19 Apr 2025 16:25:24 +0200 |
| parent | 6237:4f0ed0e3ad5a |
| child | 6239:a931a95e363e |
comparison
equal
deleted
inserted
replaced
| 6237:4f0ed0e3ad5a | 6238:c1b94dd6e53b |
|---|---|
| 417 if not verify_client_secret(params.client_id, params.client_secret) then | 417 if not verify_client_secret(params.client_id, params.client_secret) then |
| 418 module:log("debug", "client_secret mismatch"); | 418 module:log("debug", "client_secret mismatch"); |
| 419 return oauth_error("invalid_client", "incorrect credentials"); | 419 return oauth_error("invalid_client", "incorrect credentials"); |
| 420 end | 420 end |
| 421 | 421 |
| 422 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)")); | 422 local request_username = assert(params.username, oauth_error("invalid_request", "missing 'username'")); |
| 423 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'")); | 423 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'")); |
| 424 local request_username, request_host, request_resource = jid.prepped_split(request_jid); | 424 |
| 425 | 425 if not usermanager.test_password(request_username, module.host, request_password) then |
| 426 if not (request_username and request_host) or request_host ~= module.host then | |
| 427 return oauth_error("invalid_request", "invalid JID"); | |
| 428 end | |
| 429 if not usermanager.test_password(request_username, request_host, request_password) then | |
| 430 return oauth_error("invalid_grant", "incorrect credentials"); | 426 return oauth_error("invalid_grant", "incorrect credentials"); |
| 431 end | 427 end |
| 432 | 428 |
| 433 local granted_jid = jid.join(request_username, request_host, request_resource); | 429 local granted_jid = jid.join(request_username, module.host); |
| 434 local granted_scopes, granted_role = filter_scopes(request_username, params.scope); | 430 local granted_scopes, granted_role = filter_scopes(request_username, params.scope); |
| 435 return json.encode(new_access_token(granted_jid, granted_role, granted_scopes, nil)); | 431 return json.encode(new_access_token(granted_jid, granted_role, granted_scopes, nil)); |
| 436 end | 432 end |
| 437 | 433 |
| 438 function response_type_handlers.code(client, params, granted_jid, id_token) | 434 function response_type_handlers.code(client, params, granted_jid, id_token) |
