Diff

mod_sasl_oauthbearer/mod_sasl_oauthbearer.lua @ 3114:73ada978dabc

mod_sasl_oauthbearer and mod_auth_oauthbearer Two new modules for logging in with OAuth tokens.
author JC Brand <jc@opkode.com>
date Wed, 13 Jun 2018 17:09:49 +0000
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_sasl_oauthbearer/mod_sasl_oauthbearer.lua	Wed Jun 13 17:09:49 2018 +0000
@@ -0,0 +1,50 @@
+local s_match = string.match;
+local registerMechanism = require "util.sasl".registerMechanism;
+local saslprep = require "util.encodings".stringprep.saslprep;
+local nodeprep = require "util.encodings".stringprep.nodeprep;
+local log = require "util.logger".init("sasl");
+local _ENV = nil;
+
+
+local function oauthbearer(self, message)
+	if not message then
+		return "failure", "malformed-request";
+	end
+
+	local authorization, password = s_match(message, "^n,a=([^,]*),\1auth=Bearer ([^\1]+)");
+	if not authorization then
+		return "failure", "malformed-request";
+	end
+
+	local authentication = s_match(authorization, "(.-)@.*");
+
+	-- SASLprep password and authentication
+	authentication = saslprep(authentication);
+	password = saslprep(password);
+
+	if (not password) or (password == "") or (not authentication) or (authentication == "") then
+		log("debug", "Username or password violates SASLprep.");
+		return "failure", "malformed-request", "Invalid username or password.";
+	end
+
+	local _nodeprep = self.profile.nodeprep;
+	if _nodeprep ~= false then
+		authentication = (_nodeprep or nodeprep)(authentication);
+		if not authentication or authentication == "" then
+			return "failure", "malformed-request", "Invalid username or password."
+		end
+	end
+
+	local correct, state = false, false;
+    correct, state = self.profile.oauthbearer(self, authentication, password, self.realm);
+
+	self.username = authentication
+	if state == false then
+		return "failure", "account-disabled";
+	elseif state == nil or not correct then
+		return "failure", "not-authorized", "Unable to authorize you with the authentication credentials you've sent.";
+	end
+	return "success";
+end
+
+registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer);