Diff

mod_sasl2_fast/mod_sasl2_fast.lua @ 5071:bc983da908e6

mod_sasl2_fast: Take username from SASL exchange rather than stream@from
author Matthew Wild <mwild1@gmail.com>
date Sat, 15 Oct 2022 19:42:55 +0100
parent 5070:5cc6f3749376
child 5072:d41677929f68
line wrap: on
line diff
--- a/mod_sasl2_fast/mod_sasl2_fast.lua	Sat Oct 15 19:41:33 2022 +0100
+++ b/mod_sasl2_fast/mod_sasl2_fast.lua	Sat Oct 15 19:42:55 2022 +0100
@@ -29,8 +29,8 @@
 	return token_info;
 end
 
-local function new_token_tester(username, hmac_f)
-	return function (mechanism, client_id, token_hash, cb_data)
+local function new_token_tester(hmac_f)
+	return function (mechanism, username, client_id, token_hash, cb_data)
 		local tried_current_token = false;
 		local key = hash.sha256(client_id, true).."-new";
 		local token;
@@ -64,9 +64,9 @@
 	end
 end
 
-function get_sasl_handler(username)
+function get_sasl_handler()
 	local token_auth_profile = {
-		ht_sha_256 = new_token_tester(username, hash.hmac_sha256);
+		ht_sha_256 = new_token_tester(hash.hmac_sha256);
 		token_test = function (_, client_id, token, mech_name, counter) --luacheck: ignore
 			return false; -- FIXME
 		end;
@@ -163,10 +163,16 @@
 local function new_ht_mechanism(mechanism_name, backend_profile_name, cb_name)
 	return function (sasl_handler, message)
 		local backend = sasl_handler.profile[backend_profile_name];
-		local ok, status, response = backend(mechanism_name, sasl_handler._client_id, message, cb_name and sasl_handler.profile.cb[cb_name] or "");
+		local username, token_hash = message:match("^([^%z]+)%z(.+)$");
+		if not username then
+			return "failure", "malformed-request";
+		end
+		local cb_data = cb_name and sasl_handler.profile.cb[cb_name](sasl_handler) or "";
+		local ok, status, response = backend(mechanism_name, username, sasl_handler.profile._client_id, token_hash, cb_data);
 		if not ok then
 			return "failure", status or "not-authorized";
 		end
+		sasl_handler.username = status;
 		return "success", response;
 	end
 end