Annotate

plugins/mod_tokenauth.lua @ 13112:b6aaab0846fe

util.sasl.oauthbearer: Tighter parsing of SASL message Previously the kvsep before and after the kvpairs would have been included in kvpairs, which is incorrect but should be harmless.
author Kim Alvefur <zash@zash.se>
date Fri, 26 May 2023 17:39:53 +0200
parent 13099:a1ba503610ed
child 13209:c8d949cf6b09
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
12977
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12959
diff changeset
1 local base64 = require "prosody.util.encodings".base64;
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12959
diff changeset
2 local hashes = require "prosody.util.hashes";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12959
diff changeset
3 local id = require "prosody.util.id";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12959
diff changeset
4 local jid = require "prosody.util.jid";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12959
diff changeset
5 local random = require "prosody.util.random";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12959
diff changeset
6 local usermanager = require "prosody.core.usermanager";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12959
diff changeset
7 local generate_identifier = require "prosody.util.id".short;
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
9 local token_store = module:open_store("auth_tokens", "keyval+");
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
12980
6ebad8e16b3b mod_tokenauth: Track last access time (last time a token was used)
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
11 local access_time_granularity = module:get_option_number("token_auth_access_time_granularity", 60);
6ebad8e16b3b mod_tokenauth: Track last access time (last time a token was used)
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
12
13099
a1ba503610ed mod_tokenauth: Support selection of _no_ role at all
Kim Alvefur <zash@zash.se>
parents: 13098
diff changeset
13 local function select_role(username, host, role_name)
a1ba503610ed mod_tokenauth: Support selection of _no_ role at all
Kim Alvefur <zash@zash.se>
parents: 13098
diff changeset
14 if not role_name then return end
a1ba503610ed mod_tokenauth: Support selection of _no_ role at all
Kim Alvefur <zash@zash.se>
parents: 13098
diff changeset
15 local role = usermanager.get_role_by_name(role_name, host);
a1ba503610ed mod_tokenauth: Support selection of _no_ role at all
Kim Alvefur <zash@zash.se>
parents: 13098
diff changeset
16 if not role then return end
a1ba503610ed mod_tokenauth: Support selection of _no_ role at all
Kim Alvefur <zash@zash.se>
parents: 13098
diff changeset
17 if not usermanager.user_can_assume_role(username, host, role.name) then return end
a1ba503610ed mod_tokenauth: Support selection of _no_ role at all
Kim Alvefur <zash@zash.se>
parents: 13098
diff changeset
18 return role;
12649
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
19 end
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
20
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
21 function create_grant(actor_jid, grant_jid, grant_ttl, grant_data)
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
22 grant_jid = jid.prep(grant_jid);
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
23 if not actor_jid or actor_jid ~= grant_jid and not jid.compare(grant_jid, actor_jid) then
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
24 module:log("debug", "Actor <%s> is not permitted to create a token granting access to JID <%s>", actor_jid, grant_jid);
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 return nil, "not-authorized";
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 end
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
28 local grant_username, grant_host, grant_resource = jid.split(grant_jid);
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
30 if grant_host ~= module.host then
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 return nil, "invalid-host";
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32 end
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
34 local grant_id = id.short();
12980
6ebad8e16b3b mod_tokenauth: Track last access time (last time a token was used)
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
35 local now = os.time();
6ebad8e16b3b mod_tokenauth: Track last access time (last time a token was used)
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
36
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
37 local grant = {
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
38 id = grant_id;
12953
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents: 12952
diff changeset
39
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40 owner = actor_jid;
12980
6ebad8e16b3b mod_tokenauth: Track last access time (last time a token was used)
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
41 created = now;
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
42 expires = grant_ttl and (now + grant_ttl) or nil;
12980
6ebad8e16b3b mod_tokenauth: Track last access time (last time a token was used)
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
43 accessed = now;
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
44
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
45 jid = grant_jid;
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
46 resource = grant_resource;
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
47
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
48 data = grant_data;
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
49
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
50 -- tokens[<hash-name>..":"..<secret>] = token_info
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
51 tokens = {};
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52 };
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
53
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
54 local ok, err = token_store:set_key(grant_username, grant_id, grant);
12996
e8716515405e mod_tokenauth: return error if storage of new token fails
Matthew Wild <mwild1@gmail.com>
parents: 12980
diff changeset
55 if not ok then
e8716515405e mod_tokenauth: return error if storage of new token fails
Matthew Wild <mwild1@gmail.com>
parents: 12980
diff changeset
56 return nil, err;
e8716515405e mod_tokenauth: return error if storage of new token fails
Matthew Wild <mwild1@gmail.com>
parents: 12980
diff changeset
57 end
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
58
13003
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
59 module:fire_event("token-grant-created", {
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
60 id = grant_id;
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
61 grant = grant;
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
62 username = grant_username;
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
63 host = grant_host;
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
64 });
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
65
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
66 return grant;
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
67 end
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
68
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
69 function create_token(grant_jid, grant, token_role, token_ttl, token_purpose, token_data)
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
70 if (token_data and type(token_data) ~= "table") or (token_purpose and type(token_purpose) ~= "string") then
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
71 return nil, "bad-request";
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
72 end
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
73 local grant_username, grant_host = jid.split(grant_jid);
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
74 if grant_host ~= module.host then
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
75 return nil, "invalid-host";
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
76 end
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
77 if type(grant) == "string" then -- lookup by id
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
78 grant = token_store:get_key(grant_username, grant);
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
79 if not grant then return nil; end
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
80 end
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
81
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
82 if not grant.tokens then return nil, "internal-server-error"; end -- old-style token?
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
83
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
84 local now = os.time();
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
85 local expires = grant.expires; -- Default to same expiry as grant
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
86 if token_ttl then -- explicit lifetime requested
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
87 if expires then
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
88 -- Grant has an expiry, so limit to that or shorter
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
89 expires = math.min(now + token_ttl, expires);
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
90 else
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
91 -- Grant never expires, just use whatever expiry is requested for the token
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
92 expires = now + token_ttl;
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
93 end
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
94 end
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
95
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
96 local token_info = {
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
97 role = token_role;
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
98
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
99 created = now;
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
100 expires = expires;
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
101 purpose = token_purpose;
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
102
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
103 data = token_data;
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
104 };
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
105
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
106 local token_secret = random.bytes(18);
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
107 grant.tokens["sha256:"..hashes.sha256(token_secret, true)] = token_info;
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
108
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
109 local ok, err = token_store:set_key(grant_username, grant.id, grant);
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
110 if not ok then
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
111 return nil, err;
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
112 end
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
113
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
114 local token_string = "secret-token:"..base64.encode("2;"..grant.id..";"..token_secret..";"..grant.jid);
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
115 return token_string, token_info;
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
116 end
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
117
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
118 local function parse_token(encoded_token)
12917
e4de42495fb7 mod_tokenauth: Gracefully handle missing tokens
Matthew Wild <mwild1@gmail.com>
parents: 12915
diff changeset
119 if not encoded_token then return nil; end
12953
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents: 12952
diff changeset
120 local encoded_data = encoded_token:match("^secret%-token:(.+)$");
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents: 12952
diff changeset
121 if not encoded_data then return nil; end
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents: 12952
diff changeset
122 local token = base64.decode(encoded_data);
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
123 if not token then return nil; end
13074
794a5ad5495e mod_tokenauth: Fix parsing binary part of tokens
Kim Alvefur <zash@zash.se>
parents: 13073
diff changeset
124 local token_id, token_secret, token_jid = token:match("^2;([^;]+);(..................);(.+)$");
12953
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents: 12952
diff changeset
125 if not token_id then return nil; end
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
126 local token_user, token_host = jid.split(token_jid);
12953
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents: 12952
diff changeset
127 return token_id, token_user, token_host, token_secret;
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
128 end
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
129
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
130 local function clear_expired_grant_tokens(grant, now)
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
131 local updated;
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
132 now = now or os.time();
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
133 for secret, token_info in pairs(grant.tokens) do
12999
c87ac7d1967f mod_tokenauth: Fix traceback when checking expiry of tokens with no expiry
Matthew Wild <mwild1@gmail.com>
parents: 12998
diff changeset
134 local expires = token_info.expires;
c87ac7d1967f mod_tokenauth: Fix traceback when checking expiry of tokens with no expiry
Matthew Wild <mwild1@gmail.com>
parents: 12998
diff changeset
135 if expires and expires < now then
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
136 grant.tokens[secret] = nil;
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
137 updated = true;
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
138 end
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
139 end
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
140 return updated;
12997
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
141 end
0a56b84ec4ad mod_tokenauth: Support for creating sub-tokens
Matthew Wild <mwild1@gmail.com>
parents: 12996
diff changeset
142
13009
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
143 local function _get_validated_grant_info(username, grant)
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
144 if type(grant) == "string" then
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
145 grant = token_store:get_key(username, grant);
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
146 end
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
147 if not grant or not grant.created then return nil; end
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
148
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
149 -- Invalidate grants from before last password change
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
150 local account_info = usermanager.get_account_info(username, module.host);
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
151 local password_updated_at = account_info and account_info.password_updated;
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
152 if password_updated_at and grant.created < password_updated_at then
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
153 module:log("debug", "Token grant issued before last password change, invalidating it now");
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
154 token_store:set_key(username, grant.id, nil);
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
155 return nil, "not-authorized";
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
156 elseif grant.expires and grant.expires < os.time() then
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
157 module:log("debug", "Token grant expired, cleaning up");
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
158 token_store:set_key(username, grant.id, nil);
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
159 return nil, "expired";
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
160 end
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
161
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
162 return grant;
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
163 end
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
164
12953
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents: 12952
diff changeset
165 local function _get_validated_token_info(token_id, token_user, token_host, token_secret)
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
166 if token_host ~= module.host then
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
167 return nil, "invalid-host";
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
168 end
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
169
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
170 local grant, err = token_store:get_key(token_user, token_id);
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
171 if not grant or not grant.tokens then
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
172 if err then
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
173 module:log("error", "Unable to read from token storage: %s", err);
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
174 return nil, "internal-error";
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
175 end
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
176 module:log("warn", "Invalid token in storage (%s / %s)", token_user, token_id);
12953
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents: 12952
diff changeset
177 return nil, "not-authorized";
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
178 end
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
179
12953
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents: 12952
diff changeset
180 -- Check provided secret
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
181 local secret_hash = "sha256:"..hashes.sha256(token_secret, true);
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
182 local token_info = grant.tokens[secret_hash];
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
183 if not token_info then
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
184 module:log("debug", "No tokens matched the given secret");
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
185 return nil, "not-authorized";
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
186 end
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
187
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
188 -- Check expiry
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
189 local now = os.time();
13073
9e5802b45b9e mod_tokenauth: Only check if expiry of expiring tokens
Kim Alvefur <zash@zash.se>
parents: 13024
diff changeset
190 if token_info.expires and token_info.expires < now then
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
191 module:log("debug", "Token has expired, cleaning it up");
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
192 grant.tokens[secret_hash] = nil;
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
193 token_store:set_key(token_user, token_id, grant);
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
194 return nil, "not-authorized";
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
195 end
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
196
13009
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
197 -- Verify grant validity (expiry, etc.)
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
198 grant = _get_validated_grant_info(token_user, grant);
a70ff0c524c9 mod_tokenauth: Move grant validation to a reusable function
Matthew Wild <mwild1@gmail.com>
parents: 13006
diff changeset
199 if not grant then
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
200 return nil, "not-authorized";
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
201 end
12742
126aefd2c4c6 mod_tokenauth: Invalidate tokens issued before most recent password change
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
202
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
203 -- Update last access time if necessary
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
204 local last_accessed = grant.accessed;
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
205 if not last_accessed or (now - last_accessed) > access_time_granularity then
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
206 grant.accessed = now;
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
207 clear_expired_grant_tokens(grant); -- Clear expired tokens while we're here
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
208 token_store:set_key(token_user, token_id, grant);
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
209 end
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
210
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
211 token_info.id = token_id;
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
212 token_info.grant = grant;
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
213 token_info.jid = grant.jid;
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
214
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
215 return token_info;
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
216 end
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
217
13010
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
218 function get_grant_info(username, grant_id)
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
219 local grant = _get_validated_grant_info(username, grant_id);
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
220 if not grant then return nil; end
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
221
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
222 -- Caller is only interested in the grant, no need to expose token stuff to them
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
223 grant.tokens = nil;
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
224
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
225 return grant;
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
226 end
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
227
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
228 function get_user_grants(username)
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
229 local grants = token_store:get(username);
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
230 if not grants then return nil; end
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
231 for grant_id, grant in pairs(grants) do
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
232 grants[grant_id] = _get_validated_grant_info(username, grant);
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
233 end
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
234 return grants;
3e454af3615d mod_tokenauth: Add API to inspect individual grants or all of a user's grants
Matthew Wild <mwild1@gmail.com>
parents: 13009
diff changeset
235 end
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
236
12649
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
237 function get_token_info(token)
12953
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents: 12952
diff changeset
238 local token_id, token_user, token_host, token_secret = parse_token(token);
12649
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
239 if not token_id then
12952
a668bc1aa39d mod_tokenauth: Log error when token validation fails
Matthew Wild <mwild1@gmail.com>
parents: 12938
diff changeset
240 module:log("warn", "Failed to verify access token: %s", token_user);
12649
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
241 return nil, "invalid-token-format";
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
242 end
12953
ebe3b2f96cad mod_tokenauth: Switch to new token format (invalidates existing tokens!)
Matthew Wild <mwild1@gmail.com>
parents: 12952
diff changeset
243 return _get_validated_token_info(token_id, token_user, token_host, token_secret);
12649
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
244 end
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
245
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
246 function get_token_session(token, resource)
12959
e331210beeb2 mod_tokenauth: Fix traceback in get_token_session()
Kim Alvefur <zash@zash.se>
parents: 12953
diff changeset
247 local token_id, token_user, token_host, token_secret = parse_token(token);
12649
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
248 if not token_id then
12952
a668bc1aa39d mod_tokenauth: Log error when token validation fails
Matthew Wild <mwild1@gmail.com>
parents: 12938
diff changeset
249 module:log("warn", "Failed to verify access token: %s", token_user);
12649
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
250 return nil, "invalid-token-format";
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
251 end
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
252
12959
e331210beeb2 mod_tokenauth: Fix traceback in get_token_session()
Kim Alvefur <zash@zash.se>
parents: 12953
diff changeset
253 local token_info, err = _get_validated_token_info(token_id, token_user, token_host, token_secret);
12649
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
254 if not token_info then return nil, err; end
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
255
13098
65d2ff6e674e mod_tokenauth: Return error instead of session for token without role
Kim Alvefur <zash@zash.se>
parents: 13074
diff changeset
256 local role = select_role(token_user, token_host, token_info.role);
65d2ff6e674e mod_tokenauth: Return error instead of session for token without role
Kim Alvefur <zash@zash.se>
parents: 13074
diff changeset
257 if not role then return nil, "not-authorized"; end
12649
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
258 return {
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
259 username = token_user;
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
260 host = token_host;
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
261 resource = token_info.resource or resource or generate_identifier();
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
262
13098
65d2ff6e674e mod_tokenauth: Return error instead of session for token without role
Kim Alvefur <zash@zash.se>
parents: 13074
diff changeset
263 role = role;
12649
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
264 };
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
265 end
86e1187f6274 mod_tokenauth: New API that better fits how modules are using token auth
Matthew Wild <mwild1@gmail.com>
parents: 10675
diff changeset
266
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
267 function revoke_token(token)
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
268 local token_id, token_user, token_host = parse_token(token);
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
269 if not token_id then
12952
a668bc1aa39d mod_tokenauth: Log error when token validation fails
Matthew Wild <mwild1@gmail.com>
parents: 12938
diff changeset
270 module:log("warn", "Failed to verify access token: %s", token_user);
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
271 return nil, "invalid-token-format";
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
272 end
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
273 if token_host ~= module.host then
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
274 return nil, "invalid-host";
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
275 end
13003
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
276 local ok, err = token_store:set_key(token_user, token_id, nil);
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
277 if not ok then
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
278 return nil, err;
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
279 end
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
280 module:fire_event("token-grant-revoked", { id = token_id, username = token_user, host = token_host });
34ed17ef1c1a mod_tokenauth: Fire events on grant creation and revocation
Matthew Wild <mwild1@gmail.com>
parents: 13000
diff changeset
281 return true;
10668
25c84c0a66fd mod_authtokens: New module for managing auth tokens
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
282 end
12915
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
283
13024
7558fd152459 mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents: 13010
diff changeset
284 function revoke_grant(username, grant_id)
7558fd152459 mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents: 13010
diff changeset
285 local ok, err = token_store:set_key(username, grant_id, nil);
7558fd152459 mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents: 13010
diff changeset
286 if not ok then return nil, err; end
7558fd152459 mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents: 13010
diff changeset
287 module:fire_event("token-grant-revoked", { id = grant_id, username = username, host = module.host });
7558fd152459 mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents: 13010
diff changeset
288 return true;
7558fd152459 mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents: 13010
diff changeset
289 end
7558fd152459 mod_tokenauth: Add API method to revoke a grant by id
Matthew Wild <mwild1@gmail.com>
parents: 13010
diff changeset
290
12915
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
291 function sasl_handler(auth_provider, purpose, extra)
12938
055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents: 12919
diff changeset
292 return function (sasl, token, realm, _authzid)
12915
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
293 local token_info, err = get_token_info(token);
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
294 if not token_info then
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
295 module:log("debug", "SASL handler failed to verify token: %s", err);
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
296 return nil, nil, extra;
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
297 end
12998
601d9a375b86 mod_tokenauth: Refactor API to separate tokens and grants
Matthew Wild <mwild1@gmail.com>
parents: 12997
diff changeset
298 local token_user, token_host, resource = jid.split(token_info.grant.jid);
12938
055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents: 12919
diff changeset
299 if realm ~= token_host or (purpose and token_info.purpose ~= purpose) then
12915
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
300 return nil, nil, extra;
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
301 end
12938
055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents: 12919
diff changeset
302 if auth_provider.is_enabled and not auth_provider.is_enabled(token_user) then
12915
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
303 return true, false, token_info;
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
304 end
12938
055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents: 12919
diff changeset
305 sasl.resource = resource;
055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents: 12919
diff changeset
306 sasl.token_info = token_info;
055b03d3059b util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents: 12919
diff changeset
307 return token_user, true, token_info;
12915
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
308 end;
70f6a8dceb1d mod_tokenauth: Add SASL handler backend that can accept and verify tokens
Matthew Wild <mwild1@gmail.com>
parents: 12914
diff changeset
309 end