prosody-modules
f2363e6d9a64
mod_host_blacklist/mod_host_blacklist.lua
Software / code / prosody-modules
File
mod_host_blacklist/mod_host_blacklist.lua @ 5390:f2363e6d9a64
mod_http_oauth2: Advertise the currently supported id_token signing algorithm
This field is REQUIRED. The algorithm RS256 MUST be included, but isn't
because we don't implement it, as that would require implementing a pile
of additional cryptography and JWT stuff. Instead the id_token is
signed using the client secret, which allows verification by the client,
since it's a shared secret per OpenID Connect Core 1.0 § 10.1 under
Symmetric Signatures.
OpenID Connect Discovery 1.0 has a lot of REQUIRED and MUST clauses that
are not supported here, but that's okay because this is served from the
RFC 8414 OAuth 2.0 Authorization Server Metadata .well-known endpoint!
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 30 Apr 2023 16:13:40 +0200 |
| parent | 1182:547b3c05cc06 |
line wrap: on
line source
local jid_split = require "util.jid".split; local st = require "util.stanza"; local set = require "util.set"; local select = select; local blacklist = module:get_option_inherited_set("host_blacklist", {}); local function stanza_checker(attr) return function (event) local host = select(2, jid_split(event.stanza.attr[attr])); if blacklist:contains(host) then module:send(st.error_reply(event.stanza, "cancel", "not-allowed", "Communication with this domain is restricted")); return true; end end end check_incoming_stanza = stanza_checker("from"); check_outgoing_stanza = stanza_checker("to"); for stanza_type in set.new{"presence","message","iq"}:items() do for jid_type in set.new{"bare", "full", "host"}:items() do module:hook("pre-"..stanza_type.."/"..jid_type, check_outgoing_stanza, 500); module:hook(stanza_type.."/"..jid_type, check_incoming_stanza, 500); end end
