prosody
86e1187f6274
plugins/mod_tokenauth.lua
Software / code / prosody
Comparison
plugins/mod_tokenauth.lua @ 12649:86e1187f6274
mod_tokenauth: New API that better fits how modules are using token auth
This also updates the module to the new role API, and improves support for
scope/role selection (currently treated as the same thing, which they almost
are).
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Wed, 20 Jul 2022 10:52:17 +0100 |
| parent | 10675:5efd6865486c |
| child | 12662:07424992d7fc |
comparison
equal
deleted
inserted
replaced
| 12648:f299e570a0fe | 12649:86e1187f6274 |
|---|---|
| 1 local id = require "util.id"; | 1 local id = require "util.id"; |
| 2 local jid = require "util.jid"; | 2 local jid = require "util.jid"; |
| 3 local base64 = require "util.encodings".base64; | 3 local base64 = require "util.encodings".base64; |
| 4 local usermanager = require "core.usermanager"; | |
| 5 local generate_identifier = require "util.id".short; | |
| 4 | 6 |
| 5 local token_store = module:open_store("auth_tokens", "map"); | 7 local token_store = module:open_store("auth_tokens", "map"); |
| 6 | 8 |
| 7 function create_jid_token(actor_jid, token_jid, token_scope, token_ttl) | 9 local function select_role(username, host, role) |
| 10 if role then | |
| 11 return prosody.hosts[host].authz.get_role_by_name(role); | |
| 12 end | |
| 13 return usermanager.get_user_default_role(username, host); | |
| 14 end | |
| 15 | |
| 16 function create_jid_token(actor_jid, token_jid, token_role, token_ttl) | |
| 8 token_jid = jid.prep(token_jid); | 17 token_jid = jid.prep(token_jid); |
| 9 if not actor_jid or token_jid ~= actor_jid and not jid.compare(token_jid, actor_jid) then | 18 if not actor_jid or token_jid ~= actor_jid and not jid.compare(token_jid, actor_jid) then |
| 10 return nil, "not-authorized"; | 19 return nil, "not-authorized"; |
| 11 end | 20 end |
| 12 | 21 |
| 19 local token_info = { | 28 local token_info = { |
| 20 owner = actor_jid; | 29 owner = actor_jid; |
| 21 created = os.time(); | 30 created = os.time(); |
| 22 expires = token_ttl and (os.time() + token_ttl) or nil; | 31 expires = token_ttl and (os.time() + token_ttl) or nil; |
| 23 jid = token_jid; | 32 jid = token_jid; |
| 24 session = { | |
| 25 username = token_username; | |
| 26 host = token_host; | |
| 27 resource = token_resource; | |
| 28 | 33 |
| 29 auth_scope = token_scope; | 34 resource = token_resource; |
| 30 }; | 35 role = token_role; |
| 31 }; | 36 }; |
| 32 | 37 |
| 33 local token_id = id.long(); | 38 local token_id = id.long(); |
| 34 local token = base64.encode("1;"..jid.join(token_username, token_host)..";"..token_id); | 39 local token = base64.encode("1;"..jid.join(token_username, token_host)..";"..token_id); |
| 35 token_store:set(token_username, token_id, token_info); | 40 token_store:set(token_username, token_id, token_info); |
| 44 if not token_jid then return nil; end | 49 if not token_jid then return nil; end |
| 45 local token_user, token_host = jid.split(token_jid); | 50 local token_user, token_host = jid.split(token_jid); |
| 46 return token_id, token_user, token_host; | 51 return token_id, token_user, token_host; |
| 47 end | 52 end |
| 48 | 53 |
| 49 function get_token_info(token) | 54 local function _get_parsed_token_info(token_id, token_user, token_host) |
| 50 local token_id, token_user, token_host = parse_token(token); | |
| 51 if not token_id then | |
| 52 return nil, "invalid-token-format"; | |
| 53 end | |
| 54 if token_host ~= module.host then | 55 if token_host ~= module.host then |
| 55 return nil, "invalid-host"; | 56 return nil, "invalid-host"; |
| 56 end | 57 end |
| 57 | 58 |
| 58 local token_info, err = token_store:get(token_user, token_id); | 59 local token_info, err = token_store:get(token_user, token_id); |
| 68 end | 69 end |
| 69 | 70 |
| 70 return token_info | 71 return token_info |
| 71 end | 72 end |
| 72 | 73 |
| 74 function get_token_info(token) | |
| 75 local token_id, token_user, token_host = parse_token(token); | |
| 76 if not token_id then | |
| 77 return nil, "invalid-token-format"; | |
| 78 end | |
| 79 return _get_parsed_token_info(token_id, token_user, token_host); | |
| 80 end | |
| 81 | |
| 82 function get_token_session(token, resource) | |
| 83 local token_id, token_user, token_host = parse_token(token); | |
| 84 if not token_id then | |
| 85 return nil, "invalid-token-format"; | |
| 86 end | |
| 87 | |
| 88 local token_info, err = _get_parsed_token_info(token_id, token_user, token_host); | |
| 89 if not token_info then return nil, err; end | |
| 90 | |
| 91 return { | |
| 92 username = token_user; | |
| 93 host = token_host; | |
| 94 resource = token_info.resource or resource or generate_identifier(); | |
| 95 | |
| 96 role = select_role(token_user, token_host, token_info.role); | |
| 97 }; | |
| 98 end | |
| 99 | |
| 100 | |
| 73 function revoke_token(token) | 101 function revoke_token(token) |
| 74 local token_id, token_user, token_host = parse_token(token); | 102 local token_id, token_user, token_host = parse_token(token); |
| 75 if not token_id then | 103 if not token_id then |
| 76 return nil, "invalid-token-format"; | 104 return nil, "invalid-token-format"; |
| 77 end | 105 end |
