File

mod_register_json/mod_register_json.lua @ 429:ea6641deec12

mod_register_json: added check for invalid characters in the username.
author Marco Cirillo <maranda@lightwitch.org>
date Thu, 15 Sep 2011 03:32:23 +0000
parent 370:16da8cd69715
child 430:f0fafd19fd72
line wrap: on
line source

-- Expose a simple servlet to handle user registrations from web pages
-- via JSON.
--
-- A Good chunk of the code is from mod_data_access.lua by Kim Alvefur
-- aka Zash.

local jid_prep = require "util.jid".prep;
local jid_split = require "util.jid".split;
local usermanager = require "core.usermanager";
local b64_decode = require "util.encodings".base64.decode;
local json_decode = require "util.json".decode;
local httpserver = require "net.httpserver";
local os_time = os.time;

module.host = "*" -- HTTP/BOSH Servlets need to be global.

-- Pick up configuration.

local set_realm_name = module:get_option("reg_servlet_realm") or "Restricted";
local throttle_time = module:get_option("reg_servlet_ttime") or false;
local whitelist = module:get_option("reg_servlet_wl") or {};
local blacklist = module:get_option("reg_servlet_bl") or {};
local recent_ips = {};

-- Begin

for _, ip in ipairs(whitelist) do whitelisted_ips[ip] = true; end
for _, ip in ipairs(blacklist) do blacklisted_ips[ip] = true; end

local function http_response(code, message, extra_headers)
        local response = {
                status = code .. " " .. message;
                body = message .. "\n"; }
        if extra_headers then response.headers = extra_headers; end
        return response
end

local function handle_req(method, body, request)
	if request.method ~= "POST" then
		return http_response(405, "Bad method...", {["Allow"] = "POST"});
	end
	if not request.headers["authorization"] then
		return http_response(401, "No... No...",
		{["WWW-Authenticate"]='Basic realm="'.. set_realm_name ..'"'})
	end
	
	local user, password = b64_decode(request.headers.authorization
		:match("[^ ]*$") or ""):match("([^:]*):(.*)");
	user = jid_prep(user);
	if not user or not password then return http_response(400, "What's this..?"); end
	local user_node, user_host = jid_split(user)
	if not hosts[user_host] then return http_response(401, "Negative."); end
	
	module:log("warn", "%s is authing to submit a new user registration data", user)
	if not usermanager.test_password(user_node, user_host, password) then
		module:log("warn", "%s failed authentication", user)
		return http_response(401, "Who the hell are you?! Guards!");
	end
	
	local req_body; 
	-- We check that what we have is valid JSON wise else we throw an error...
	if not pcall(function() req_body = json_decode(body) end) then
		module:log("debug", "JSON data submitted for user registration by %s failed to Decode.", user); 
		return http_response(400, "JSON Decoding failed.");
	else
		-- Decode JSON data and check that all bits are there else throw an error
		req_body = json_decode(body);
		if req_body["username"] == nil or req_body["password"] == nil or req_body["host"] == nil or req_body["ip"] == nil then
			module:log("debug", "%s supplied an insufficent number of elements or wrong elements for the JSON registration", user); 
			return http_response(400, "Invalid syntax.");
		end
		-- Check if user is an admin of said host
		if not usermanager.is_admin(user, req_body["host"]) then
			module:log("warn", "%s tried to submit registration data for %s but he's not an admin", user, req_body["host"]);
			return http_response(401, "I obey only to my masters... Have a nice day.");
		else	
			-- Checks for both Throttling/Whitelist and Blacklist (basically copycatted from prosody's register.lua code)
			if blacklist[req_body["ip"]] then module:log("warn", "Attempt of reg. submission to the JSON servlet from blacklisted address: %s", req_body["ip"]); return http_response(403, "The specified address is blacklisted, sorry sorry."); end
			if throttle_time and not whitelist[req_body["ip"]] then
				if not recent_ips[req_body["ip"]] then
					recent_ips[req_body["ip"]] = { time = os_time(), count = 1 };
				else
					local ip = recent_ips[req_body["ip"]];
					ip.count = ip.count + 1;

					if os_time() - ip.time < throttle_time then
						ip.time = os_time();
						module:log("warn", "JSON Registration request from %s has been throttled.", req_body["ip"]);
						return http_response(503, "Woah... How many users you want to register..? Request throttled, wait a bit and try again.");
					end
					ip.time = os_time();
				end
			end

			-- We first check if the supplied username for registration is already there.
			if not usermanager.user_exists(req_body["username"], req_body["host"]) then
				-- Sanity checks for the username.
				if req_body["username"]:find(" ") or req_body["username"]:find("@") or req_body["username"]:find("<") or
				   req_body["username"]:find(">") or req_body["username"]:find("\"") or req_body["username"]:find("\'") or
				   req_body["username"]:find("/") then
					module:log("debug", "%s supplied an username containing invalid characters: %s", user, req_body["username"]);
					return http_response(406, "Supplied username contains invalid characters, see RFC 6122.");
				else
					usermanager.create_user(req_body["username"], req_body["password"], req_body["host"]);
					module:log("debug", "%s registration data submission for %s is successful", user, req_body["username"]);
					return http_response(200, "Done.");
				end
			else
				module:log("debug", "%s registration data submission for %s failed (user already exists)", user, req_body["username"]);
				return http_response(409, "User already exists.");
			end
		end
	end
end

-- Set it up!
local function setup()
	local ports = module:get_option("reg_servlet_ports") or { 9280 };
	local port_number, base_name, ssl_table;
	for _, opts in ipairs(ports) do
		if type(opts) == "number" then
			port_number, base_name = opts, "register_account";
		elseif type(opts) == "table" then
			port_number, base_name, ssl_table = opts.port or 9280, opts.path or "register_account", opts.ssl or nil;
		elseif type(opts) == "string" then
			base_name, port_number = opts, 9280;
		end
	end
	
	if ssl_table == nil then
		ports = { { port = port_number } };
		httpserver.new_from_config(ports, handle_req, { base = base_name });
	else
		if port_number == 9280 then port_number = 9443; end
		ports = { { port = port_number, ssl = ssl_table } };
		httpserver.new_from_config(ports, handle_req, { base = base_name });
	end
end

if prosody.start_time then -- already started
	setup();
else
	prosody.events.add_handler("server-started", setup);
end