prosody
87dd8639f08f
util/id.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

File

util/id.lua @ 13843:87dd8639f08f 13.0

mod_invites_register: Stricter validation of registration events This fixes two problems: 1) Account invites that were created with a specific username were not in fact restricted to that username. 2) Password reset invites were not restricted to resetting passwords, but could be used to create an arbitrary new account if the client or registration frontend (e.g. mod_invites_register_web) doesn't handle/enforce the username. This new validation ensures that registrations and resets are always for the username specified in the invitation.
author Matthew Wild <mwild1@gmail.com>
date Thu, 10 Apr 2025 16:07:32 +0100
parent 12975:d10957394a3c
line wrap: on
line source

-- Prosody IM
-- Copyright (C) 2008-2017 Matthew Wild
-- Copyright (C) 2008-2017 Waqas Hussain
-- Copyright (C) 2008-2017 Kim Alvefur
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--

local s_gsub = string.gsub;
local random_bytes = require "prosody.util.random".bytes;
local base64_encode = require "prosody.util.encodings".base64.encode;

local b64url = { ["+"] = "-", ["/"] = "_", ["="] = "" };
local function b64url_random(len)
	return (s_gsub(base64_encode(random_bytes(len)), "[+/=]", b64url));
end

return {
	-- sizes divisible by 3 fit nicely into base64 without padding==

	-- for short lived things with low risk of collisions
	tiny = function() return b64url_random(3); end;

	-- close to 8 bytes, should be good enough for relatively short lived or uses
	-- scoped by host or users, half the size of an uuid
	short = function() return b64url_random(9); end;

	-- more entropy than uuid at 2/3 the size
	-- should be okay for globally scoped ids or security token
	medium = function() return b64url_random(18); end;

	-- as long as an uuid but MOAR entropy
	long = function() return b64url_random(27); end;

	-- pick your own adventure
	custom = function (size)
		return function () return b64url_random(size); end;
	end;
}