Software /
code /
prosody-modules
File
mod_s2s_status/mod_s2s_status.lua @ 5705:527c747711f3
mod_http_oauth2: Limit revocation to clients own tokens in strict mode
RFC 7009 section 2.1 states:
> The authorization server first validates the client credentials (in
> case of a confidential client) and then verifies whether the token was
> issued to the client making the revocation request. If this
> validation fails, the request is refused and the client is informed of
> the error by the authorization server as described below.
The first part was already covered (in strict mode). This adds the later
part using the hash of client_id recorded in 0860497152af
It still seems weird to me that revoking a leaked token should not be
allowed whoever might have discovered it, as that seems the responsible
thing to do.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 29 Oct 2023 11:30:49 +0100 |
parent | 4791:b86282953663 |
child | 5811:31c331d05a75 |
line wrap: on
line source
local status_out = module:shared("out"); local errors = require "util.error"; local function get_session_info(session) local direction, peer_host = session.direction; if direction == "outgoing" then peer_host = session.to_host; elseif direction == "incoming" then peer_host = session.from_host; end return peer_host, direction, session.id; end local function get_domain_log_out(peer_domain) local domain_log = status_out[peer_domain]; if not domain_log then domain_log = {}; status_out[peer_domain] = domain_log; end end local function get_connection_record(domain_log, id) for _, record in ipairs(domain_log) do if record.id == id then return record; end end -- No record for this connection yet, create it local record = { id = id }; table.insert(domain_log, 1, record); return record; end local function log_new_connection_out(peer_domain, id) local domain_log = get_domain_log_out(peer_domain); local record = get_connection_record(domain_log, id); record.status, record.time_started = "connecting", os.time(); end local function log_successful_connection_out(peer_domain, id) local domain_log = get_domain_log_out(peer_domain); local record = get_connection_record(domain_log, id); record.status, record.time_connected = "connected", os.time(); end local function log_ended_connection_out(peer_domain, id, reason) local domain_log = get_domain_log_out(peer_domain); local record = get_connection_record(domain_log, id); if record.status == "connecting" then record.status = "failed"; elseif record.status == "connected" then record.status = "disconnected"; end if reason then local e_reason = errors.new(reason); record.error = { type = e_reason.type; condition = e_reason.condition; text = e_reason.text; }; if not record.error.text and type(reason) == "string" then record.error.text = reason; end end local now = os.time(); record.time_ended = now; end local function s2sout_established(event) local peer_domain, _, id = get_session_info(event.session); log_successful_connection_out(peer_domain, id); end local function s2sout_destroyed(event) local peer_domain, _, id = get_session_info(event.session); log_ended_connection_out(peer_domain, id); end local function s2s_created(event) local peer_domain, direction, id = get_session_info(event.session); if direction == "outgoing" then log_new_connection_out(peer_domain, id); end end module:hook("s2s-created", s2s_created); module:hook("s2sout-established", s2sout_established); module:hook("s2sout-destroyed", s2sout_destroyed);