Software /
code /
prosody-modules
File
mod_auth_token/token_auth_utils.lib.lua @ 5666:73c3d5bfce3e
mod_http_oauth2: Allow 'login_hint' as a substitute for OIDC 'select_account' prompt
If the OIDC 'prompt' parameter does not contain the 'select_account'
then it wants us to skip account selection, which means we have to
figure which account to authenticate somehow. One way could be have
this stored in a cookie from a previous successful login. Another way
would be to have the account passed as a hint, which is what we add
here.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 09 Sep 2023 21:42:24 +0200 |
parent | 3693:0fb12a4b6106 |
line wrap: on
line source
local base64 = require "util.encodings".base64; local hmac = require "openssl.hmac"; local luatz = require "luatz"; local otp = require "otp"; local DIGEST_TYPE = "SHA256"; local OTP_DEVIATION = 1; local OTP_DIGITS = 8; local OTP_INTERVAL = 30; local nonce_cache = {}; local function check_nonce(jid, otp_value, nonce) -- We cache all nonces used per OTP, to ensure that a token cannot be used -- more than once. -- -- We assume that the OTP is valid in the current time window. This is the -- case because we only call check_nonce *after* the OTP has been verified. -- -- We only store one OTP per JID, so if a new OTP comes in, we wipe the -- previous OTP and its cached nonces. if nonce_cache[jid] == nil or nonce_cache[jid][otp_value] == nil then nonce_cache[jid] = {} nonce_cache[jid][otp_value] = {} nonce_cache[jid][otp_value][nonce] = true return true; end if nonce_cache[jid][otp_value][nonce] == true then return false; else nonce_cache[jid][otp_value][nonce] = true; return true; end end local function verify_token(username, password, otp_seed, token_secret, log) local totp = otp.new_totp_from_key(otp_seed, OTP_DIGITS, OTP_INTERVAL) local token = string.match(password, "(%d+) ") local otp_value = token:sub(1,8) local nonce = token:sub(9) local signature = base64.decode(string.match(password, " (.+)")) local jid = username.."@"..module.host if totp:verify(otp_value, OTP_DEVIATION, luatz.time()) then log("debug", "The TOTP was verified"); local hmac_ctx = hmac.new(token_secret, DIGEST_TYPE) if signature == hmac_ctx:final(otp_value..nonce..jid) then log("debug", "The key was verified"); if check_nonce(jid, otp_value, nonce) then log("debug", "The nonce was verified"); return true; end end end log("debug", "Verification failed"); return false; end return { OTP_DEVIATION = OTP_DIGITS, OTP_DIGITS = OTP_DIGITS, OTP_INTERVAL = OTP_INTERVAL, DIGEST_TYPE = DIGEST_TYPE, verify_token = verify_token; }