Software / code / prosody
Annotate
plugins/mod_tokenauth.lua @ 13073:9e5802b45b9e
mod_tokenauth: Only check if expiry of expiring tokens
Some tokens, e.g. OAuth2 refresh tokens, might not have their lifetime
explicitly bounded here, but rather be bounded by the lifetime of
something else, like the OAuth2 client.
Open question: Would it be better to enforce a lifetime on all tokens?
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 12 Apr 2023 10:21:32 +0200 |
| parent | 13024:7558fd152459 |
| child | 13074:794a5ad5495e |
| rev | line source |
|---|---|
|
12977
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12959
diff
changeset
|
1 local base64 = require "prosody.util.encodings".base64; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12959
diff
changeset
|
2 local hashes = require "prosody.util.hashes"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12959
diff
changeset
|
3 local id = require "prosody.util.id"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12959
diff
changeset
|
4 local jid = require "prosody.util.jid"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12959
diff
changeset
|
5 local random = require "prosody.util.random"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12959
diff
changeset
|
6 local usermanager = require "prosody.core.usermanager"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12959
diff
changeset
|
7 local generate_identifier = require "prosody.util.id".short; |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
9 local token_store = module:open_store("auth_tokens", "keyval+"); |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 |
|
12980
6ebad8e16b3b
mod_tokenauth: Track last access time (last time a token was used)
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
11 local access_time_granularity = module:get_option_number("token_auth_access_time_granularity", 60); |
|
6ebad8e16b3b
mod_tokenauth: Track last access time (last time a token was used)
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
12 |
|
12649
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
13 local function select_role(username, host, role) |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
14 if role then |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
15 return prosody.hosts[host].authz.get_role_by_name(role); |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
16 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12649
diff
changeset
|
17 return usermanager.get_user_role(username, host); |
|
12649
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
18 end |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
19 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
20 function create_grant(actor_jid, grant_jid, grant_ttl, grant_data) |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
21 grant_jid = jid.prep(grant_jid); |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
22 if not actor_jid or actor_jid ~= grant_jid and not jid.compare(grant_jid, actor_jid) then |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
23 module:log("debug", "Actor <%s> is not permitted to create a token granting access to JID <%s>", actor_jid, grant_jid); |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 return nil, "not-authorized"; |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 end |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
27 local grant_username, grant_host, grant_resource = jid.split(grant_jid); |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
29 if grant_host ~= module.host then |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 return nil, "invalid-host"; |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 end |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
33 local grant_id = id.short(); |
|
12980
6ebad8e16b3b
mod_tokenauth: Track last access time (last time a token was used)
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
34 local now = os.time(); |
|
6ebad8e16b3b
mod_tokenauth: Track last access time (last time a token was used)
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
35 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
36 local grant = { |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
37 id = grant_id; |
|
12953
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12952
diff
changeset
|
38 |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 owner = actor_jid; |
|
12980
6ebad8e16b3b
mod_tokenauth: Track last access time (last time a token was used)
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
40 created = now; |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
41 expires = grant_ttl and (now + grant_ttl) or nil; |
|
12980
6ebad8e16b3b
mod_tokenauth: Track last access time (last time a token was used)
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
42 accessed = now; |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
43 |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
44 jid = grant_jid; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
45 resource = grant_resource; |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
47 data = grant_data; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
48 |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
49 -- tokens[<hash-name>..":"..<secret>] = token_info |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
50 tokens = {}; |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 }; |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
53 local ok, err = token_store:set_key(grant_username, grant_id, grant); |
|
12996
e8716515405e
mod_tokenauth: return error if storage of new token fails
Matthew Wild <mwild1@gmail.com>
parents:
12980
diff
changeset
|
54 if not ok then |
|
e8716515405e
mod_tokenauth: return error if storage of new token fails
Matthew Wild <mwild1@gmail.com>
parents:
12980
diff
changeset
|
55 return nil, err; |
|
e8716515405e
mod_tokenauth: return error if storage of new token fails
Matthew Wild <mwild1@gmail.com>
parents:
12980
diff
changeset
|
56 end |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 |
|
13003
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
58 module:fire_event("token-grant-created", { |
|
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
59 id = grant_id; |
|
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
60 grant = grant; |
|
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
61 username = grant_username; |
|
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
62 host = grant_host; |
|
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
63 }); |
|
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
64 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
65 return grant; |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 end |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
68 function create_token(grant_jid, grant, token_role, token_ttl, token_purpose, token_data) |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
69 if (token_data and type(token_data) ~= "table") or (token_purpose and type(token_purpose) ~= "string") then |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
70 return nil, "bad-request"; |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
71 end |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
72 local grant_username, grant_host = jid.split(grant_jid); |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
73 if grant_host ~= module.host then |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
74 return nil, "invalid-host"; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
75 end |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
76 if type(grant) == "string" then -- lookup by id |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
77 grant = token_store:get_key(grant_username, grant); |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
78 if not grant then return nil; end |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
79 end |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
80 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
81 if not grant.tokens then return nil, "internal-server-error"; end -- old-style token? |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
82 |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
83 local now = os.time(); |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
84 local expires = grant.expires; -- Default to same expiry as grant |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
85 if token_ttl then -- explicit lifetime requested |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
86 if expires then |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
87 -- Grant has an expiry, so limit to that or shorter |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
88 expires = math.min(now + token_ttl, expires); |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
89 else |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
90 -- Grant never expires, just use whatever expiry is requested for the token |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
91 expires = now + token_ttl; |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
92 end |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
93 end |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
94 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
95 local token_info = { |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
96 role = token_role; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
97 |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
98 created = now; |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
99 expires = expires; |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
100 purpose = token_purpose; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
101 |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
102 data = token_data; |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
103 }; |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
104 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
105 local token_secret = random.bytes(18); |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
106 grant.tokens["sha256:"..hashes.sha256(token_secret, true)] = token_info; |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
107 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
108 local ok, err = token_store:set_key(grant_username, grant.id, grant); |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
109 if not ok then |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
110 return nil, err; |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
111 end |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
112 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
113 local token_string = "secret-token:"..base64.encode("2;"..grant.id..";"..token_secret..";"..grant.jid); |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
114 return token_string, token_info; |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
115 end |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
116 |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
117 local function parse_token(encoded_token) |
|
12917
e4de42495fb7
mod_tokenauth: Gracefully handle missing tokens
Matthew Wild <mwild1@gmail.com>
parents:
12915
diff
changeset
|
118 if not encoded_token then return nil; end |
|
12953
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12952
diff
changeset
|
119 local encoded_data = encoded_token:match("^secret%-token:(.+)$"); |
|
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12952
diff
changeset
|
120 if not encoded_data then return nil; end |
|
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12952
diff
changeset
|
121 local token = base64.decode(encoded_data); |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
122 if not token then return nil; end |
|
12953
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12952
diff
changeset
|
123 local token_id, token_secret, token_jid = token:match("^2;([^;]+);([^;]+);(.+)$"); |
|
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12952
diff
changeset
|
124 if not token_id then return nil; end |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
125 local token_user, token_host = jid.split(token_jid); |
|
12953
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12952
diff
changeset
|
126 return token_id, token_user, token_host, token_secret; |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
127 end |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
128 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
129 local function clear_expired_grant_tokens(grant, now) |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
130 local updated; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
131 now = now or os.time(); |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
132 for secret, token_info in pairs(grant.tokens) do |
|
12999
c87ac7d1967f
mod_tokenauth: Fix traceback when checking expiry of tokens with no expiry
Matthew Wild <mwild1@gmail.com>
parents:
12998
diff
changeset
|
133 local expires = token_info.expires; |
|
c87ac7d1967f
mod_tokenauth: Fix traceback when checking expiry of tokens with no expiry
Matthew Wild <mwild1@gmail.com>
parents:
12998
diff
changeset
|
134 if expires and expires < now then |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
135 grant.tokens[secret] = nil; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
136 updated = true; |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
137 end |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
138 end |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
139 return updated; |
|
12997
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
140 end |
|
0a56b84ec4ad
mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents:
12996
diff
changeset
|
141 |
|
13009
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
142 local function _get_validated_grant_info(username, grant) |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
143 if type(grant) == "string" then |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
144 grant = token_store:get_key(username, grant); |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
145 end |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
146 if not grant or not grant.created then return nil; end |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
147 |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
148 -- Invalidate grants from before last password change |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
149 local account_info = usermanager.get_account_info(username, module.host); |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
150 local password_updated_at = account_info and account_info.password_updated; |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
151 if password_updated_at and grant.created < password_updated_at then |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
152 module:log("debug", "Token grant issued before last password change, invalidating it now"); |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
153 token_store:set_key(username, grant.id, nil); |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
154 return nil, "not-authorized"; |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
155 elseif grant.expires and grant.expires < os.time() then |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
156 module:log("debug", "Token grant expired, cleaning up"); |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
157 token_store:set_key(username, grant.id, nil); |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
158 return nil, "expired"; |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
159 end |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
160 |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
161 return grant; |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
162 end |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
163 |
|
12953
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12952
diff
changeset
|
164 local function _get_validated_token_info(token_id, token_user, token_host, token_secret) |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
165 if token_host ~= module.host then |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
166 return nil, "invalid-host"; |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
167 end |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
168 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
169 local grant, err = token_store:get_key(token_user, token_id); |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
170 if not grant or not grant.tokens then |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
171 if err then |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
172 module:log("error", "Unable to read from token storage: %s", err); |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
173 return nil, "internal-error"; |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
174 end |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
175 module:log("warn", "Invalid token in storage (%s / %s)", token_user, token_id); |
|
12953
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12952
diff
changeset
|
176 return nil, "not-authorized"; |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
177 end |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
178 |
|
12953
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12952
diff
changeset
|
179 -- Check provided secret |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
180 local secret_hash = "sha256:"..hashes.sha256(token_secret, true); |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
181 local token_info = grant.tokens[secret_hash]; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
182 if not token_info then |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
183 module:log("debug", "No tokens matched the given secret"); |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
184 return nil, "not-authorized"; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
185 end |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
186 |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
187 -- Check expiry |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
188 local now = os.time(); |
|
13073
9e5802b45b9e
mod_tokenauth: Only check if expiry of expiring tokens
Kim Alvefur <zash@zash.se>
parents:
13024
diff
changeset
|
189 if token_info.expires and token_info.expires < now then |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
190 module:log("debug", "Token has expired, cleaning it up"); |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
191 grant.tokens[secret_hash] = nil; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
192 token_store:set_key(token_user, token_id, grant); |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
193 return nil, "not-authorized"; |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
194 end |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
195 |
|
13009
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
196 -- Verify grant validity (expiry, etc.) |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
197 grant = _get_validated_grant_info(token_user, grant); |
|
a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents:
13006
diff
changeset
|
198 if not grant then |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
199 return nil, "not-authorized"; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
200 end |
|
12742
126aefd2c4c6
mod_tokenauth: Invalidate tokens issued before most recent password change
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
201 |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
202 -- Update last access time if necessary |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
203 local last_accessed = grant.accessed; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
204 if not last_accessed or (now - last_accessed) > access_time_granularity then |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
205 grant.accessed = now; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
206 clear_expired_grant_tokens(grant); -- Clear expired tokens while we're here |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
207 token_store:set_key(token_user, token_id, grant); |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
208 end |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
209 |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
210 token_info.id = token_id; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
211 token_info.grant = grant; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
212 token_info.jid = grant.jid; |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
213 |
|
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
214 return token_info; |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
215 end |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
216 |
|
13010
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
217 function get_grant_info(username, grant_id) |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
218 local grant = _get_validated_grant_info(username, grant_id); |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
219 if not grant then return nil; end |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
220 |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
221 -- Caller is only interested in the grant, no need to expose token stuff to them |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
222 grant.tokens = nil; |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
223 |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
224 return grant; |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
225 end |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
226 |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
227 function get_user_grants(username) |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
228 local grants = token_store:get(username); |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
229 if not grants then return nil; end |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
230 for grant_id, grant in pairs(grants) do |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
231 grants[grant_id] = _get_validated_grant_info(username, grant); |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
232 end |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
233 return grants; |
|
3e454af3615d
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents:
13009
diff
changeset
|
234 end |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
235 |
|
12649
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
236 function get_token_info(token) |
|
12953
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12952
diff
changeset
|
237 local token_id, token_user, token_host, token_secret = parse_token(token); |
|
12649
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
238 if not token_id then |
|
12952
a668bc1aa39d
mod_tokenauth: Log error when token validation fails
Matthew Wild <mwild1@gmail.com>
parents:
12938
diff
changeset
|
239 module:log("warn", "Failed to verify access token: %s", token_user); |
|
12649
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
240 return nil, "invalid-token-format"; |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
241 end |
|
12953
ebe3b2f96cad
mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents:
12952
diff
changeset
|
242 return _get_validated_token_info(token_id, token_user, token_host, token_secret); |
|
12649
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
243 end |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
244 |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
245 function get_token_session(token, resource) |
|
12959
e331210beeb2
mod_tokenauth: Fix traceback in get_token_session()
Kim Alvefur <zash@zash.se>
parents:
12953
diff
changeset
|
246 local token_id, token_user, token_host, token_secret = parse_token(token); |
|
12649
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
247 if not token_id then |
|
12952
a668bc1aa39d
mod_tokenauth: Log error when token validation fails
Matthew Wild <mwild1@gmail.com>
parents:
12938
diff
changeset
|
248 module:log("warn", "Failed to verify access token: %s", token_user); |
|
12649
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
249 return nil, "invalid-token-format"; |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
250 end |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
251 |
|
12959
e331210beeb2
mod_tokenauth: Fix traceback in get_token_session()
Kim Alvefur <zash@zash.se>
parents:
12953
diff
changeset
|
252 local token_info, err = _get_validated_token_info(token_id, token_user, token_host, token_secret); |
|
12649
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
253 if not token_info then return nil, err; end |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
254 |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
255 return { |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
256 username = token_user; |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
257 host = token_host; |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
258 resource = token_info.resource or resource or generate_identifier(); |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
259 |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
260 role = select_role(token_user, token_host, token_info.role); |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
261 }; |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
262 end |
|
86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents:
10675
diff
changeset
|
263 |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
264 function revoke_token(token) |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
265 local token_id, token_user, token_host = parse_token(token); |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
266 if not token_id then |
|
12952
a668bc1aa39d
mod_tokenauth: Log error when token validation fails
Matthew Wild <mwild1@gmail.com>
parents:
12938
diff
changeset
|
267 module:log("warn", "Failed to verify access token: %s", token_user); |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
268 return nil, "invalid-token-format"; |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
269 end |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
270 if token_host ~= module.host then |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
271 return nil, "invalid-host"; |
|
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
272 end |
|
13003
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
273 local ok, err = token_store:set_key(token_user, token_id, nil); |
|
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
274 if not ok then |
|
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
275 return nil, err; |
|
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
276 end |
|
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
277 module:fire_event("token-grant-revoked", { id = token_id, username = token_user, host = token_host }); |
|
34ed17ef1c1a
mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents:
13000
diff
changeset
|
278 return true; |
|
10668
25c84c0a66fd
mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
279 end |
|
12915
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
280 |
|
13024
7558fd152459
mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents:
13010
diff
changeset
|
281 function revoke_grant(username, grant_id) |
|
7558fd152459
mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents:
13010
diff
changeset
|
282 local ok, err = token_store:set_key(username, grant_id, nil); |
|
7558fd152459
mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents:
13010
diff
changeset
|
283 if not ok then return nil, err; end |
|
7558fd152459
mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents:
13010
diff
changeset
|
284 module:fire_event("token-grant-revoked", { id = grant_id, username = username, host = module.host }); |
|
7558fd152459
mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents:
13010
diff
changeset
|
285 return true; |
|
7558fd152459
mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents:
13010
diff
changeset
|
286 end |
|
7558fd152459
mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents:
13010
diff
changeset
|
287 |
|
12915
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
288 function sasl_handler(auth_provider, purpose, extra) |
|
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12919
diff
changeset
|
289 return function (sasl, token, realm, _authzid) |
|
12915
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
290 local token_info, err = get_token_info(token); |
|
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
291 if not token_info then |
|
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
292 module:log("debug", "SASL handler failed to verify token: %s", err); |
|
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
293 return nil, nil, extra; |
|
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
294 end |
|
12998
601d9a375b86
mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents:
12997
diff
changeset
|
295 local token_user, token_host, resource = jid.split(token_info.grant.jid); |
|
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12919
diff
changeset
|
296 if realm ~= token_host or (purpose and token_info.purpose ~= purpose) then |
|
12915
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
297 return nil, nil, extra; |
|
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
298 end |
|
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12919
diff
changeset
|
299 if auth_provider.is_enabled and not auth_provider.is_enabled(token_user) then |
|
12915
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
300 return true, false, token_info; |
|
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
301 end |
|
12938
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12919
diff
changeset
|
302 sasl.resource = resource; |
|
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12919
diff
changeset
|
303 sasl.token_info = token_info; |
|
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12919
diff
changeset
|
304 return token_user, true, token_info; |
|
12915
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
305 end; |
|
70f6a8dceb1d
mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents:
12914
diff
changeset
|
306 end |
