Software / code / prosody
Changeset
12913:012fa81d1f5d
mod_tokenauth: Add 'purpose' constraint
This allows tokens to be tied to specific purposes/protocols. For example, we
shouldn't (without specific consideration) allow an OAuth token to be dropped
into a slot expecting a FAST token.
While FAST doesn't currently use mod_tokenauth, it and others may do in the
future. It's better to be explicit about what kind of token code is issuing or
expecting.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Wed, 01 Mar 2023 13:01:21 +0000 |
| parents | 12912:44a78985471f |
| children | 12914:2b4661bd39e2 |
| files | plugins/mod_tokenauth.lua |
| diffstat | 1 files changed, 2 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/plugins/mod_tokenauth.lua Wed Mar 01 12:56:08 2023 +0000 +++ b/plugins/mod_tokenauth.lua Wed Mar 01 13:01:21 2023 +0000 @@ -13,7 +13,7 @@ return usermanager.get_user_role(username, host); end -function create_jid_token(actor_jid, token_jid, token_role, token_ttl, token_data) +function create_jid_token(actor_jid, token_jid, token_role, token_ttl, token_data, token_purpose) token_jid = jid.prep(token_jid); if not actor_jid or token_jid ~= actor_jid and not jid.compare(token_jid, actor_jid) then return nil, "not-authorized"; @@ -30,6 +30,7 @@ created = os.time(); expires = token_ttl and (os.time() + token_ttl) or nil; jid = token_jid; + purpose = token_purpose; resource = token_resource; role = token_role;
