# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1677675681 0
# Node ID 012fa81d1f5d36b64308ab013d3478f0468687e4
# Parent  44a78985471f803254e0093075645c5aea370317
mod_tokenauth: Add 'purpose' constraint

This allows tokens to be tied to specific purposes/protocols. For example, we
shouldn't (without specific consideration) allow an OAuth token to be dropped
into a slot expecting a FAST token.

While FAST doesn't currently use mod_tokenauth, it and others may do in the
future. It's better to be explicit about what kind of token code is issuing or
expecting.

diff -r 44a78985471f -r 012fa81d1f5d plugins/mod_tokenauth.lua
--- a/plugins/mod_tokenauth.lua	Wed Mar 01 12:56:08 2023 +0000
+++ b/plugins/mod_tokenauth.lua	Wed Mar 01 13:01:21 2023 +0000
@@ -13,7 +13,7 @@
 	return usermanager.get_user_role(username, host);
 end
 
-function create_jid_token(actor_jid, token_jid, token_role, token_ttl, token_data)
+function create_jid_token(actor_jid, token_jid, token_role, token_ttl, token_data, token_purpose)
 	token_jid = jid.prep(token_jid);
 	if not actor_jid or token_jid ~= actor_jid and not jid.compare(token_jid, actor_jid) then
 		return nil, "not-authorized";
@@ -30,6 +30,7 @@
 		created = os.time();
 		expires = token_ttl and (os.time() + token_ttl) or nil;
 		jid = token_jid;
+		purpose = token_purpose;
 
 		resource = token_resource;
 		role = token_role;