prosody
5484debdfdfe
plugins/mod_auth_internal_hashed.lua
Software / code / prosody
Comparison
plugins/mod_auth_internal_hashed.lua @ 12900:5484debdfdfe
mod_auth_internal_hashed: Refactor to prepare for disabling users
Moving this out will make space for a dynamic check whether a particular
user is disabled or not, which is one possible response to abuse of
account privileges.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 22 Feb 2023 13:27:08 +0100 |
| parent | 12669:aed38948791f |
| child | 12901:b884ddb5a0e7 |
comparison
equal
deleted
inserted
replaced
| 12899:09b101a3b3e1 | 12900:5484debdfdfe |
|---|---|
| 108 return nil, "Auth failed. Invalid username"; | 108 return nil, "Auth failed. Invalid username"; |
| 109 end | 109 end |
| 110 return true; | 110 return true; |
| 111 end | 111 end |
| 112 | 112 |
| 113 function provider.is_enabled(username) -- luacheck: ignore 212 | |
| 114 -- TODO look up somewhere and allow disabling | |
| 115 return true; | |
| 116 end | |
| 117 | |
| 113 function provider.users() | 118 function provider.users() |
| 114 return accounts:users(); | 119 return accounts:users(); |
| 115 end | 120 end |
| 116 | 121 |
| 117 function provider.create_user(username, password) | 122 function provider.create_user(username, password) |
| 138 end | 143 end |
| 139 | 144 |
| 140 function provider.get_sasl_handler() | 145 function provider.get_sasl_handler() |
| 141 local testpass_authentication_profile = { | 146 local testpass_authentication_profile = { |
| 142 plain_test = function(_, username, password, realm) | 147 plain_test = function(_, username, password, realm) |
| 143 return usermanager.test_password(username, realm, password), true; | 148 return usermanager.test_password(username, realm, password), provider.is_enabled(username); |
| 144 end, | 149 end, |
| 145 [scram_name] = function(_, username) | 150 [scram_name] = function(_, username) |
| 146 local credentials = accounts:get(username); | 151 local credentials = accounts:get(username); |
| 147 if not credentials then return; end | 152 if not credentials then return; end |
| 148 if credentials.password then | 153 if credentials.password then |
| 155 | 160 |
| 156 local stored_key, server_key = credentials.stored_key, credentials.server_key; | 161 local stored_key, server_key = credentials.stored_key, credentials.server_key; |
| 157 local iteration_count, salt = credentials.iteration_count, credentials.salt; | 162 local iteration_count, salt = credentials.iteration_count, credentials.salt; |
| 158 stored_key = stored_key and from_hex(stored_key); | 163 stored_key = stored_key and from_hex(stored_key); |
| 159 server_key = server_key and from_hex(server_key); | 164 server_key = server_key and from_hex(server_key); |
| 160 return stored_key, server_key, iteration_count, salt, true; | 165 return stored_key, server_key, iteration_count, salt, provider.is_enabled(username); |
| 161 end | 166 end |
| 162 }; | 167 }; |
| 163 return new_sasl(host, testpass_authentication_profile); | 168 return new_sasl(host, testpass_authentication_profile); |
| 164 end | 169 end |
| 165 | 170 |
