prosody
a70ff0c524c9
plugins/mod_tokenauth.lua
Software / code / prosody
Comparison
plugins/mod_tokenauth.lua @ 13009:a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Wed, 29 Mar 2023 17:14:45 +0100 |
| parent | 13006:d943733c6d01 |
| child | 13010:3e454af3615d |
comparison
equal
deleted
inserted
replaced
| 13008:7b952553bd60 | 13009:a70ff0c524c9 |
|---|---|
| 137 end | 137 end |
| 138 end | 138 end |
| 139 return updated; | 139 return updated; |
| 140 end | 140 end |
| 141 | 141 |
| 142 local function _get_validated_grant_info(username, grant) | |
| 143 if type(grant) == "string" then | |
| 144 grant = token_store:get_key(username, grant); | |
| 145 end | |
| 146 if not grant or not grant.created then return nil; end | |
| 147 | |
| 148 -- Invalidate grants from before last password change | |
| 149 local account_info = usermanager.get_account_info(username, module.host); | |
| 150 local password_updated_at = account_info and account_info.password_updated; | |
| 151 if password_updated_at and grant.created < password_updated_at then | |
| 152 module:log("debug", "Token grant issued before last password change, invalidating it now"); | |
| 153 token_store:set_key(username, grant.id, nil); | |
| 154 return nil, "not-authorized"; | |
| 155 elseif grant.expires and grant.expires < os.time() then | |
| 156 module:log("debug", "Token grant expired, cleaning up"); | |
| 157 token_store:set_key(username, grant.id, nil); | |
| 158 return nil, "expired"; | |
| 159 end | |
| 160 | |
| 161 return grant; | |
| 162 end | |
| 163 | |
| 142 local function _get_validated_token_info(token_id, token_user, token_host, token_secret) | 164 local function _get_validated_token_info(token_id, token_user, token_host, token_secret) |
| 143 if token_host ~= module.host then | 165 if token_host ~= module.host then |
| 144 return nil, "invalid-host"; | 166 return nil, "invalid-host"; |
| 145 end | 167 end |
| 146 | 168 |
| 169 grant.tokens[secret_hash] = nil; | 191 grant.tokens[secret_hash] = nil; |
| 170 token_store:set_key(token_user, token_id, grant); | 192 token_store:set_key(token_user, token_id, grant); |
| 171 return nil, "not-authorized"; | 193 return nil, "not-authorized"; |
| 172 end | 194 end |
| 173 | 195 |
| 174 -- Invalidate grants from before last password change | 196 -- Verify grant validity (expiry, etc.) |
| 175 local account_info = usermanager.get_account_info(token_user, module.host); | 197 grant = _get_validated_grant_info(token_user, grant); |
| 176 local password_updated_at = account_info and account_info.password_updated; | 198 if not grant then |
| 177 if password_updated_at and grant.created < password_updated_at then | |
| 178 module:log("debug", "Token grant issued before last password change, invalidating it now"); | |
| 179 token_store:set_key(token_user, token_id, nil); | |
| 180 return nil, "not-authorized"; | 199 return nil, "not-authorized"; |
| 181 end | 200 end |
| 182 | 201 |
| 183 -- Update last access time if necessary | 202 -- Update last access time if necessary |
| 184 local last_accessed = grant.accessed; | 203 local last_accessed = grant.accessed; |
