prosody
fd8ce71bc72b
plugins/mod_saslauth.lua
Software / code / prosody
Comparison
plugins/mod_saslauth.lua @ 1216:fd8ce71bc72b
mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Fri, 29 May 2009 14:33:55 +0100 |
| parent | 1186:078eb3b109e9 |
| child | 1217:844ef764ef0e |
comparison
equal
deleted
inserted
replaced
| 1215:d3534badd748 | 1216:fd8ce71bc72b |
|---|---|
| 18 local t_concat, t_insert = table.concat, table.insert; | 18 local t_concat, t_insert = table.concat, table.insert; |
| 19 local tostring = tostring; | 19 local tostring = tostring; |
| 20 local jid_split = require "util.jid".split | 20 local jid_split = require "util.jid".split |
| 21 local md5 = require "util.hashes".md5; | 21 local md5 = require "util.hashes".md5; |
| 22 local config = require "core.configmanager"; | 22 local config = require "core.configmanager"; |
| 23 | |
| 24 local secure_auth_only = config.get(module:get_host(), "core", "require_encryption"); | |
| 23 | 25 |
| 24 local log = module._log; | 26 local log = module._log; |
| 25 | 27 |
| 26 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; | 28 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; |
| 27 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; | 29 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; |
| 117 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' }; | 119 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' }; |
| 118 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' }; | 120 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' }; |
| 119 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' }; | 121 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' }; |
| 120 module:add_event_hook("stream-features", | 122 module:add_event_hook("stream-features", |
| 121 function (session, features) | 123 function (session, features) |
| 122 if not session.username then | 124 if not session.username and ((not secure_auth_only) or session.secure) then |
| 123 features:tag("mechanisms", mechanisms_attr); | 125 features:tag("mechanisms", mechanisms_attr); |
| 124 -- TODO: Provide PLAIN only if TLS is active, this is a SHOULD from the introduction of RFC 4616. This behavior could be overridden via configuration but will issuing a warning or so. | 126 -- TODO: Provide PLAIN only if TLS is active, this is a SHOULD from the introduction of RFC 4616. This behavior could be overridden via configuration but will issuing a warning or so. |
| 125 if config.get(session.host or "*", "core", "anonymous_login") then | 127 if config.get(session.host or "*", "core", "anonymous_login") then |
| 126 features:tag("mechanism"):text("ANONYMOUS"):up(); | 128 features:tag("mechanism"):text("ANONYMOUS"):up(); |
| 127 else | 129 else |
