prosody
ae5ac9830add
plugins/mod_http_file_share.lua
Software / code / prosody
Comparison
plugins/mod_http_file_share.lua @ 11853:ae5ac9830add
mod_http_file_share: return 401 instead of 403 if authentication failed
This is as per the HTTP standards [1]. Thankfully, the REQUIRED
www-authenticate header is already generated by the code.
[1]: https://datatracker.ietf.org/doc/html/rfc7235#section-3.1
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Tue, 19 Oct 2021 16:37:32 +0200 |
| parent | 11802:3d411720e719 |
| child | 11857:e080d6aa0b3b |
comparison
equal
deleted
inserted
replaced
| 11852:71266f43699d | 11853:ae5ac9830add |
|---|---|
| 247 authz = authz:match("^Bearer (.*)") | 247 authz = authz:match("^Bearer (.*)") |
| 248 end | 248 end |
| 249 if not authz then | 249 if not authz then |
| 250 module:log("debug", "Missing or malformed Authorization header"); | 250 module:log("debug", "Missing or malformed Authorization header"); |
| 251 event.response.headers.www_authenticate = "Bearer"; | 251 event.response.headers.www_authenticate = "Bearer"; |
| 252 return 403; | 252 return 401; |
| 253 end | 253 end |
| 254 local authed, upload_info = jwt.verify(secret, authz); | 254 local authed, upload_info = jwt.verify(secret, authz); |
| 255 if not (authed and type(upload_info) == "table" and type(upload_info.exp) == "number") then | 255 if not (authed and type(upload_info) == "table" and type(upload_info.exp) == "number") then |
| 256 module:log("debug", "Unauthorized or invalid token: %s, %q", authed, upload_info); | 256 module:log("debug", "Unauthorized or invalid token: %s, %q", authed, upload_info); |
| 257 return 401; | 257 return 401; |
