prosody
87dd8639f08f
plugins/mod_invites_register.lua
Software / code / prosody
Comparison
plugins/mod_invites_register.lua @ 13843:87dd8639f08f 13.0
mod_invites_register: Stricter validation of registration events
This fixes two problems:
1) Account invites that were created with a specific username were not
in fact restricted to that username.
2) Password reset invites were not restricted to resetting passwords,
but could be used to create an arbitrary new account if the client
or registration frontend (e.g. mod_invites_register_web) doesn't
handle/enforce the username.
This new validation ensures that registrations and resets are always for the
username specified in the invitation.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 10 Apr 2025 16:07:32 +0100 |
| parent | 13011:16b47c3b44f3 |
| child | 13849:068e77bf91b9 |
comparison
equal
deleted
inserted
replaced
| 13841:d01cfbb7fc4f | 13843:87dd8639f08f |
|---|---|
| 99 -- This registration is not using an invite, but | 99 -- This registration is not using an invite, but |
| 100 -- the server is not in invite-only mode, so nothing | 100 -- the server is not in invite-only mode, so nothing |
| 101 -- for this module to do... | 101 -- for this module to do... |
| 102 return; | 102 return; |
| 103 end | 103 end |
| 104 if validated_invite and validated_invite.additional_data and validated_invite.additional_data.allow_reset then | 104 if validated_invite then |
| 105 event.allow_reset = validated_invite.additional_data.allow_reset; | 105 local username = validated_invite.username; |
| 106 if username and username ~= event.username then | |
| 107 event.allowed = false; | |
| 108 event.reason = "The chosen username is not valid with this invitation"; | |
| 109 end | |
| 110 local reset_username = validated_invite.additional_data and validated_invite.additional_data.allow_reset; | |
| 111 if reset_username then | |
| 112 if reset_username ~= event.username then | |
| 113 event.allowed = false; | |
| 114 event.reason = "Incorrect username for password reset"; | |
| 115 end | |
| 116 event.allow_reset = reset_username; | |
| 117 end | |
| 106 end | 118 end |
| 107 end); | 119 end); |
| 108 | 120 |
| 109 -- Make a *one-way* subscription. User will see when contact is online, | 121 -- Make a *one-way* subscription. User will see when contact is online, |
| 110 -- contact will not see when user is online. | 122 -- contact will not see when user is online. |
