Software / code / prosody
Annotate
plugins/mod_auth_internal_hashed.lua @ 13633:6b84d11aa09b
mod_storage_sql: Detect SQLite3 without UPSERT (or SQLCipher 3.x)
SQLCipher v3.4.1 (the version in Debian 12) is based on SQLite3 v3.15.2,
while UPSERT support was introduced in SQLite3 v3.24.0
This check was not needed before because we v3.24.0 has not been in a
version of Debian we support for a long, long time.
Note however that SQLCipher databases are not compatible across major
versions, upgrading from v3.x to v4.x requires executing a migration.
Attempts at making `prosodyctl mod_storage_sql upgrade` perform such a
migration has not been successful.
Executing the following in the `sqlcipher` tool should do the migration:
PRAGMA key = '<key material>';
PRAGMA cipher_migrate;
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 23 Jan 2025 19:33:05 +0100 |
| parent | 13506:1b81a7b7c9b8 |
| rev | line source |
|---|---|
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
1 -- Prosody IM |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
4 -- Copyright (C) 2010 Jeff Mitchell |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
5 -- |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
6 -- This project is MIT/X11 licensed. Please see the |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
7 -- COPYING file in the source package for more information. |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
8 -- |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
9 |
|
6019
e9147a16059d
mod_auth_interal_hashed: Update salt and iteration count when setting a new password
Florian Zeitz <florob@babelmonkeys.de>
parents:
5784
diff
changeset
|
10 local max = math.max; |
|
e9147a16059d
mod_auth_interal_hashed: Update salt and iteration count when setting a new password
Florian Zeitz <florob@babelmonkeys.de>
parents:
5784
diff
changeset
|
11 |
|
12977
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12946
diff
changeset
|
12 local scram_hashers = require "prosody.util.sasl.scram".hashers; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12946
diff
changeset
|
13 local generate_uuid = require "prosody.util.uuid".generate; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12946
diff
changeset
|
14 local new_sasl = require "prosody.util.sasl".new; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12946
diff
changeset
|
15 local hex = require"prosody.util.hex"; |
|
12355
a0ff5c438e9d
util.hex: Deprecate to/from in favour of encode/decode, for consistency!
Matthew Wild <mwild1@gmail.com>
parents:
12128
diff
changeset
|
16 local to_hex, from_hex = hex.encode, hex.decode; |
|
12977
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12946
diff
changeset
|
17 local saslprep = require "prosody.util.encodings".stringprep.saslprep; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12946
diff
changeset
|
18 local secure_equals = require "prosody.util.hashes".equals; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
19 |
|
5783
3a81e3b0ea4f
mod_auth_internal_hashed: Use logger setup by moduleapi instead of going for util.logger directly
Kim Alvefur <zash@zash.se>
parents:
5782
diff
changeset
|
20 local log = module._log; |
|
5784
02217725454b
mod_auth_internal_hashed: Log calls to provider methods and be consistent with mod_auth_internal_plain
Kim Alvefur <zash@zash.se>
parents:
5783
diff
changeset
|
21 local host = module.host; |
|
5783
3a81e3b0ea4f
mod_auth_internal_hashed: Use logger setup by moduleapi instead of going for util.logger directly
Kim Alvefur <zash@zash.se>
parents:
5782
diff
changeset
|
22 |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
23 local accounts = module:open_store("accounts"); |
|
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
24 |
|
13202
173038306750
plugins: Use get_option_enum where appropriate
Kim Alvefur <zash@zash.se>
parents:
12977
diff
changeset
|
25 local hash_name = module:get_option_enum("password_hash", "SHA-1", "SHA-256"); |
|
10218
e458578ddfd3
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
26 local get_auth_db = assert(scram_hashers[hash_name], "SCRAM-"..hash_name.." not supported by SASL library"); |
|
10219
d58925bb74ca
mod_auth_internal_hashed: Precompute SCRAM authentication profile name (thanks MattJ)
Kim Alvefur <zash@zash.se>
parents:
10218
diff
changeset
|
27 local scram_name = "scram_"..hash_name:gsub("%-","_"):lower(); |
|
3288
1a84d7d6f667
mod_auth_internal_hashed: Remove far too many instances of inline hex conversion using gsub, which was creating useless closures and what-not
Matthew Wild <mwild1@gmail.com>
parents:
3287
diff
changeset
|
28 |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
29 -- Default; can be set per-user |
|
13213
50324f66ca2a
plugins: Use integer config API with interval specification where sensible
Kim Alvefur <zash@zash.se>
parents:
13202
diff
changeset
|
30 local default_iteration_count = module:get_option_integer("default_iteration_count", 10000, 4096); |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
31 |
|
12916
5a06d07596f9
mod_auth_internal_hashed: Add oauthbearer handler to our SASL profile
Matthew Wild <mwild1@gmail.com>
parents:
12903
diff
changeset
|
32 local tokenauth = module:depends("tokenauth"); |
|
5a06d07596f9
mod_auth_internal_hashed: Add oauthbearer handler to our SASL profile
Matthew Wild <mwild1@gmail.com>
parents:
12903
diff
changeset
|
33 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
34 -- define auth provider |
|
5117
2c7e1ce8f482
mod_auth_*: Use module:provides().
Waqas Hussain <waqas20@gmail.com>
parents:
5116
diff
changeset
|
35 local provider = {}; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
36 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
37 function provider.test_password(username, password) |
|
5784
02217725454b
mod_auth_internal_hashed: Log calls to provider methods and be consistent with mod_auth_internal_plain
Kim Alvefur <zash@zash.se>
parents:
5783
diff
changeset
|
38 log("debug", "test password for user '%s'", username); |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
39 local credentials = accounts:get(username) or {}; |
|
13506
1b81a7b7c9b8
mod_auth_internal_{hashed,plain}: Respect flag for disabled accounts in test_password()
Kim Alvefur <zash@zash.se>
parents:
13359
diff
changeset
|
40 if credentials.disabled then |
|
1b81a7b7c9b8
mod_auth_internal_{hashed,plain}: Respect flag for disabled accounts in test_password()
Kim Alvefur <zash@zash.se>
parents:
13359
diff
changeset
|
41 return nil, "Account disabled."; |
|
1b81a7b7c9b8
mod_auth_internal_{hashed,plain}: Respect flag for disabled accounts in test_password()
Kim Alvefur <zash@zash.se>
parents:
13359
diff
changeset
|
42 end |
|
10914
0d7d71dee0a0
mod_auth_internal_*: Apply saslprep to passwords
Kim Alvefur <zash@zash.se>
parents:
10522
diff
changeset
|
43 password = saslprep(password); |
|
0d7d71dee0a0
mod_auth_internal_*: Apply saslprep to passwords
Kim Alvefur <zash@zash.se>
parents:
10522
diff
changeset
|
44 if not password then |
|
0d7d71dee0a0
mod_auth_internal_*: Apply saslprep to passwords
Kim Alvefur <zash@zash.se>
parents:
10522
diff
changeset
|
45 return nil, "Password fails SASLprep."; |
|
0d7d71dee0a0
mod_auth_internal_*: Apply saslprep to passwords
Kim Alvefur <zash@zash.se>
parents:
10522
diff
changeset
|
46 end |
|
3166
3c46cb94caed
Add mechanism for upgrading to hashed passwords from default. Remove some extra debug.
Jeff Mitchell <jeff@jefferai.org>
parents:
3164
diff
changeset
|
47 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
48 if credentials.password ~= nil and string.len(credentials.password) ~= 0 then |
|
11544
c98aebe601f9
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
Matthew Wild <mwild1@gmail.com>
parents:
10914
diff
changeset
|
49 if not secure_equals(saslprep(credentials.password), password) then |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
50 return nil, "Auth failed. Provided password is incorrect."; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
51 end |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
52 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
53 if provider.set_password(username, credentials.password) == nil then |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
54 return nil, "Auth failed. Could not set hashed password from plaintext."; |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
55 else |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
56 return true; |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
57 end |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
58 end |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
59 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
60 if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
61 return nil, "Auth failed. Stored salt and iteration count information is not complete."; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
62 end |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5500
diff
changeset
|
63 |
|
10218
e458578ddfd3
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
64 local valid, stored_key, server_key = get_auth_db(password, credentials.salt, credentials.iteration_count); |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5500
diff
changeset
|
65 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
66 local stored_key_hex = to_hex(stored_key); |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
67 local server_key_hex = to_hex(server_key); |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5500
diff
changeset
|
68 |
|
11544
c98aebe601f9
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
Matthew Wild <mwild1@gmail.com>
parents:
10914
diff
changeset
|
69 if valid and secure_equals(stored_key_hex, credentials.stored_key) and secure_equals(server_key_hex, credentials.server_key) then |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
70 return true; |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
71 else |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
72 return nil, "Auth failed. Invalid username, password, or password hash information."; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
73 end |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
74 end |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
75 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
76 function provider.set_password(username, password) |
|
5784
02217725454b
mod_auth_internal_hashed: Log calls to provider methods and be consistent with mod_auth_internal_plain
Kim Alvefur <zash@zash.se>
parents:
5783
diff
changeset
|
77 log("debug", "set_password for username '%s'", username); |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
78 local account = accounts:get(username); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
79 if account then |
|
6019
e9147a16059d
mod_auth_interal_hashed: Update salt and iteration count when setting a new password
Florian Zeitz <florob@babelmonkeys.de>
parents:
5784
diff
changeset
|
80 account.salt = generate_uuid(); |
|
e9147a16059d
mod_auth_interal_hashed: Update salt and iteration count when setting a new password
Florian Zeitz <florob@babelmonkeys.de>
parents:
5784
diff
changeset
|
81 account.iteration_count = max(account.iteration_count or 0, default_iteration_count); |
|
10218
e458578ddfd3
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
82 local valid, stored_key, server_key = get_auth_db(password, account.salt, account.iteration_count); |
|
10522
b1ca849b8e3a
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
83 if not valid then |
|
b1ca849b8e3a
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
84 return valid, stored_key; |
|
b1ca849b8e3a
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
85 end |
|
3288
1a84d7d6f667
mod_auth_internal_hashed: Remove far too many instances of inline hex conversion using gsub, which was creating useless closures and what-not
Matthew Wild <mwild1@gmail.com>
parents:
3287
diff
changeset
|
86 local stored_key_hex = to_hex(stored_key); |
|
1a84d7d6f667
mod_auth_internal_hashed: Remove far too many instances of inline hex conversion using gsub, which was creating useless closures and what-not
Matthew Wild <mwild1@gmail.com>
parents:
3287
diff
changeset
|
87 local server_key_hex = to_hex(server_key); |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5500
diff
changeset
|
88 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
89 account.stored_key = stored_key_hex |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
90 account.server_key = server_key_hex |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
91 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
92 account.password = nil; |
|
12646
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
93 account.updated = os.time(); |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
94 return accounts:set(username, account); |
|
3994
42899d5efe3b
mod_auth_internal_*: Support for delete_user method
Matthew Wild <mwild1@gmail.com>
parents:
3981
diff
changeset
|
95 end |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
96 return nil, "Account not available."; |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
97 end |
|
3994
42899d5efe3b
mod_auth_internal_*: Support for delete_user method
Matthew Wild <mwild1@gmail.com>
parents:
3981
diff
changeset
|
98 |
|
12646
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
99 function provider.get_account_info(username) |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
100 local account = accounts:get(username); |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
101 if not account then return nil, "Account not available"; end |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
102 return { |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
103 created = account.created; |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
104 password_updated = account.updated; |
|
12902
0a0a251bcd6c
mod_auth_internal_hashed: Implement is_enabled() method
Kim Alvefur <zash@zash.se>
parents:
12901
diff
changeset
|
105 enabled = not account.disabled; |
|
12646
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
106 }; |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
107 end |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
108 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
109 function provider.user_exists(username) |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
110 local account = accounts:get(username); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
111 if not account then |
|
5784
02217725454b
mod_auth_internal_hashed: Log calls to provider methods and be consistent with mod_auth_internal_plain
Kim Alvefur <zash@zash.se>
parents:
5783
diff
changeset
|
112 log("debug", "account not found for username '%s'", username); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
113 return nil, "Auth failed. Invalid username"; |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
114 end |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
115 return true; |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
116 end |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
117 |
|
12900
5484debdfdfe
mod_auth_internal_hashed: Refactor to prepare for disabling users
Kim Alvefur <zash@zash.se>
parents:
12669
diff
changeset
|
118 function provider.is_enabled(username) -- luacheck: ignore 212 |
|
12902
0a0a251bcd6c
mod_auth_internal_hashed: Implement is_enabled() method
Kim Alvefur <zash@zash.se>
parents:
12901
diff
changeset
|
119 local info, err = provider.get_account_info(username); |
|
0a0a251bcd6c
mod_auth_internal_hashed: Implement is_enabled() method
Kim Alvefur <zash@zash.se>
parents:
12901
diff
changeset
|
120 if not info then return nil, err; end |
|
0a0a251bcd6c
mod_auth_internal_hashed: Implement is_enabled() method
Kim Alvefur <zash@zash.se>
parents:
12901
diff
changeset
|
121 return info.enabled; |
|
12900
5484debdfdfe
mod_auth_internal_hashed: Refactor to prepare for disabling users
Kim Alvefur <zash@zash.se>
parents:
12669
diff
changeset
|
122 end |
|
5484debdfdfe
mod_auth_internal_hashed: Refactor to prepare for disabling users
Kim Alvefur <zash@zash.se>
parents:
12669
diff
changeset
|
123 |
|
12903
13950bf92802
mod_auth_internal_hashed: Implement methods to enable and disable users
Kim Alvefur <zash@zash.se>
parents:
12902
diff
changeset
|
124 function provider.enable(username) |
|
13950bf92802
mod_auth_internal_hashed: Implement methods to enable and disable users
Kim Alvefur <zash@zash.se>
parents:
12902
diff
changeset
|
125 -- TODO map store? |
|
13950bf92802
mod_auth_internal_hashed: Implement methods to enable and disable users
Kim Alvefur <zash@zash.se>
parents:
12902
diff
changeset
|
126 local account = accounts:get(username); |
|
13950bf92802
mod_auth_internal_hashed: Implement methods to enable and disable users
Kim Alvefur <zash@zash.se>
parents:
12902
diff
changeset
|
127 account.disabled = nil; |
|
12933
3ab0bbb1dc35
mod_auth_internal_hashed: Record time of account disable / re-enable
Kim Alvefur <zash@zash.se>
parents:
12916
diff
changeset
|
128 account.updated = os.time(); |
|
12903
13950bf92802
mod_auth_internal_hashed: Implement methods to enable and disable users
Kim Alvefur <zash@zash.se>
parents:
12902
diff
changeset
|
129 return accounts:set(username, account); |
|
12901
b884ddb5a0e7
mod_auth_internal_hashed: Add stub methods for enabling and disabling users
Kim Alvefur <zash@zash.se>
parents:
12900
diff
changeset
|
130 end |
|
b884ddb5a0e7
mod_auth_internal_hashed: Add stub methods for enabling and disabling users
Kim Alvefur <zash@zash.se>
parents:
12900
diff
changeset
|
131 |
|
13359
1796370091d4
usermanager, mod_auth_internal_hashed: Support metadata when disabling a user
Matthew Wild <mwild1@gmail.com>
parents:
13213
diff
changeset
|
132 function provider.disable(username, meta) |
|
12903
13950bf92802
mod_auth_internal_hashed: Implement methods to enable and disable users
Kim Alvefur <zash@zash.se>
parents:
12902
diff
changeset
|
133 local account = accounts:get(username); |
|
13950bf92802
mod_auth_internal_hashed: Implement methods to enable and disable users
Kim Alvefur <zash@zash.se>
parents:
12902
diff
changeset
|
134 account.disabled = true; |
|
13359
1796370091d4
usermanager, mod_auth_internal_hashed: Support metadata when disabling a user
Matthew Wild <mwild1@gmail.com>
parents:
13213
diff
changeset
|
135 account.disabled_meta = meta; |
|
12933
3ab0bbb1dc35
mod_auth_internal_hashed: Record time of account disable / re-enable
Kim Alvefur <zash@zash.se>
parents:
12916
diff
changeset
|
136 account.updated = os.time(); |
|
12903
13950bf92802
mod_auth_internal_hashed: Implement methods to enable and disable users
Kim Alvefur <zash@zash.se>
parents:
12902
diff
changeset
|
137 return accounts:set(username, account); |
|
12901
b884ddb5a0e7
mod_auth_internal_hashed: Add stub methods for enabling and disabling users
Kim Alvefur <zash@zash.se>
parents:
12900
diff
changeset
|
138 end |
|
b884ddb5a0e7
mod_auth_internal_hashed: Add stub methods for enabling and disabling users
Kim Alvefur <zash@zash.se>
parents:
12900
diff
changeset
|
139 |
|
5156
6b08c922a2e4
mod_auth_internal_{plain,hashed}: Add support for iterating over accounts
Kim Alvefur <zash@zash.se>
parents:
5117
diff
changeset
|
140 function provider.users() |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
141 return accounts:users(); |
|
5156
6b08c922a2e4
mod_auth_internal_{plain,hashed}: Add support for iterating over accounts
Kim Alvefur <zash@zash.se>
parents:
5117
diff
changeset
|
142 end |
|
6b08c922a2e4
mod_auth_internal_{plain,hashed}: Add support for iterating over accounts
Kim Alvefur <zash@zash.se>
parents:
5117
diff
changeset
|
143 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
144 function provider.create_user(username, password) |
|
12669
aed38948791f
mod_auth_internal_hashed: Allow creating disabled account without password
Kim Alvefur <zash@zash.se>
parents:
12646
diff
changeset
|
145 local now = os.time(); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
146 if password == nil then |
|
12669
aed38948791f
mod_auth_internal_hashed: Allow creating disabled account without password
Kim Alvefur <zash@zash.se>
parents:
12646
diff
changeset
|
147 return accounts:set(username, { created = now; updated = now; disabled = true }); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
148 end |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
149 local salt = generate_uuid(); |
|
10218
e458578ddfd3
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
150 local valid, stored_key, server_key = get_auth_db(password, salt, default_iteration_count); |
|
10522
b1ca849b8e3a
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
151 if not valid then |
|
b1ca849b8e3a
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
152 return valid, stored_key; |
|
b1ca849b8e3a
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
Kim Alvefur <zash@zash.se>
parents:
8192
diff
changeset
|
153 end |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
154 local stored_key_hex = to_hex(stored_key); |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
155 local server_key_hex = to_hex(server_key); |
|
8056
cacf14c218ab
mod_auth_internal_hashed: Split long lines [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8055
diff
changeset
|
156 return accounts:set(username, { |
|
cacf14c218ab
mod_auth_internal_hashed: Split long lines [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8055
diff
changeset
|
157 stored_key = stored_key_hex, server_key = server_key_hex, |
|
12646
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
158 salt = salt, iteration_count = default_iteration_count, |
|
3f38f4735c7a
usermanager, mod_auth_*: Add get_account_info() returning creation/update time
Matthew Wild <mwild1@gmail.com>
parents:
12355
diff
changeset
|
159 created = now, updated = now; |
|
8056
cacf14c218ab
mod_auth_internal_hashed: Split long lines [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8055
diff
changeset
|
160 }); |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
161 end |
|
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
162 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
163 function provider.delete_user(username) |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
164 return accounts:set(username, nil); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
165 end |
|
3164
db9def53fe9c
Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents:
diff
changeset
|
166 |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
167 function provider.get_sasl_handler() |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
168 local testpass_authentication_profile = { |
|
12946
59478b295137
mod_auth_internal_hashed: Shorten call path
Kim Alvefur <zash@zash.se>
parents:
12933
diff
changeset
|
169 plain_test = function(_, username, password) |
|
59478b295137
mod_auth_internal_hashed: Shorten call path
Kim Alvefur <zash@zash.se>
parents:
12933
diff
changeset
|
170 return provider.test_password(username, password), provider.is_enabled(username); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
171 end, |
|
10219
d58925bb74ca
mod_auth_internal_hashed: Precompute SCRAM authentication profile name (thanks MattJ)
Kim Alvefur <zash@zash.se>
parents:
10218
diff
changeset
|
172 [scram_name] = function(_, username) |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
173 local credentials = accounts:get(username); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
174 if not credentials then return; end |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
175 if credentials.password then |
|
8192
4354f556c5db
core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
Kim Alvefur <zash@zash.se>
parents:
8056
diff
changeset
|
176 if provider.set_password(username, credentials.password) == nil then |
|
4354f556c5db
core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
Kim Alvefur <zash@zash.se>
parents:
8056
diff
changeset
|
177 return nil, "Auth failed. Could not set hashed password from plaintext."; |
|
4354f556c5db
core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
Kim Alvefur <zash@zash.se>
parents:
8056
diff
changeset
|
178 end |
|
5500
eeea0eb2602a
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
Kim Alvefur <zash@zash.se>
parents:
5302
diff
changeset
|
179 credentials = accounts:get(username); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
180 if not credentials then return; end |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
181 end |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5500
diff
changeset
|
182 |
|
8056
cacf14c218ab
mod_auth_internal_hashed: Split long lines [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8055
diff
changeset
|
183 local stored_key, server_key = credentials.stored_key, credentials.server_key; |
|
cacf14c218ab
mod_auth_internal_hashed: Split long lines [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8055
diff
changeset
|
184 local iteration_count, salt = credentials.iteration_count, credentials.salt; |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
185 stored_key = stored_key and from_hex(stored_key); |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
186 server_key = server_key and from_hex(server_key); |
|
12902
0a0a251bcd6c
mod_auth_internal_hashed: Implement is_enabled() method
Kim Alvefur <zash@zash.se>
parents:
12901
diff
changeset
|
187 return stored_key, server_key, iteration_count, salt, not credentials.disabled; |
|
12916
5a06d07596f9
mod_auth_internal_hashed: Add oauthbearer handler to our SASL profile
Matthew Wild <mwild1@gmail.com>
parents:
12903
diff
changeset
|
188 end; |
|
5a06d07596f9
mod_auth_internal_hashed: Add oauthbearer handler to our SASL profile
Matthew Wild <mwild1@gmail.com>
parents:
12903
diff
changeset
|
189 oauthbearer = tokenauth.sasl_handler(provider, "oauth2", module:shared("tokenauth/oauthbearer_config")); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
190 }; |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
191 return new_sasl(host, testpass_authentication_profile); |
|
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
192 end |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5500
diff
changeset
|
193 |
|
5117
2c7e1ce8f482
mod_auth_*: Use module:provides().
Waqas Hussain <waqas20@gmail.com>
parents:
5116
diff
changeset
|
194 module:provides("auth", provider); |
|
5116
5f9066db1b4d
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
Waqas Hussain <waqas20@gmail.com>
parents:
4764
diff
changeset
|
195 |
