# HG changeset patch # User JC Brand # Date 1551353514 -3600 # Node ID ac1f63cdb6d6d56e604514595c5a532c76abee2f # Parent b4bcb84997e714edcc9166ee6f2d52d3ec3414d8 mod_auth_token: Check realm against module.host diff -r b4bcb84997e7 -r ac1f63cdb6d6 mod_auth_token/token_auth_utils.lib.lua --- a/mod_auth_token/token_auth_utils.lib.lua Tue Feb 26 15:58:58 2019 +0100 +++ b/mod_auth_token/token_auth_utils.lib.lua Thu Feb 28 12:31:54 2019 +0100 @@ -36,6 +36,11 @@ function verify_token(username, password, realm, otp_seed, token_secret, log) + if (realm ~= module.host) then + log("debug", "Verification failed: realm ~= module.host"); + return false; + end + local totp = otp.new_totp_from_key(otp_seed, OTP_DIGITS, OTP_INTERVAL) local token = string.match(password, "(%d+) ") local otp = token:sub(1,8) @@ -44,17 +49,17 @@ local jid = username.."@"..realm if totp:verify(otp, OTP_DEVIATION, luatz.gmtime(luatz.time())) then - -- log("debug", "**** THE OTP WAS VERIFIED ****** "); + log("debug", "The TOTP was verified"); local hmac_ctx = hmac.new(token_secret, DIGEST_TYPE) if signature == hmac_ctx:final(otp..nonce..jid) then - -- log("debug", "**** THE KEY WAS VERIFIED ****** "); + log("debug", "The key was verified"); if check_nonce(jid, otp, nonce) then - -- log("debug", "**** THE NONCE WAS VERIFIED ****** "); + log("debug", "The nonce was verified"); return true; end end end - -- log("debug", "**** VERIFICATION FAILED ****** "); + log("debug", "Verification failed"); return false; end