annotate mod_http_authentication/mod_http_authentication.lua @ 6319:04c3273cb81f

mod_auth_cyrus: Add empty 'profile' table to SASL handler objects This is for compatibility with Prosody's built-in util.sasl objects. A SASL profile table usually includes methods supported by the backend, which can be used by SASL mechanism handlers to perform operations (such as testing the password). It also optionally contains a 'cb' field with channel binding method handlers. The Cyrus backend doesn't support channel binding, and doesn't have the same concept of auth backend methods (it handles all that internally, and Prosody has no insight or control over it). Thus, we create an empty profile which informs Prosody that the SASL handler does not support any of the auth or channel binding methods. Some features will not work, but they didn't work anyway. This just makes it explicit. This fixes a traceback in mod_sasl2_fast, which expected SASL handlers to always contain a 'profile' field.
author Matthew Wild <mwild1@gmail.com>
date Thu, 04 Sep 2025 10:14:46 +0100
parents 05725785e3a6
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2337
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
1
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
2 module:set_global();
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
3
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
4 local b64_decode = require "util.encodings".base64.decode;
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
5 local server = require "net.http.server";
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
6
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
7 local credentials = module:get_option_string("http_credentials", "username:secretpassword");
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
8 local unauthed_endpoints = module:get_option_set("unauthenticated_http_endpoints", { "/http-bind", "/http-bind/" })._items;
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
9
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
10 module:wrap_object_event(server._events, false, function (handlers, event_name, event_data)
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
11 local request = event_data.request;
3442
05725785e3a6 mod_http_authentication: Allow HTTP error events to pass through (fixes #1293)
Kim Alvefur <zash@zash.se>
parents: 2337
diff changeset
12 if event_name ~= "http-error" and request and not unauthed_endpoints[request.path] then
2337
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
13 local response = event_data.response;
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
14 local headers = request.headers;
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
15 if not headers.authorization then
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
16 response.headers.www_authenticate = ("Basic realm=%q"):format(module.host.."/"..module.name);
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
17 return 401;
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
18 end
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
19 local user_password = b64_decode(headers.authorization:match("%s(%S*)$"));
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
20 if user_password ~= credentials then
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
21 return 401;
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
22 end
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
23 end
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
24 return handlers(event_name, event_data);
c6e86b74f62e Add mod_http_authentication.lua
JC Brand <jcbrand@minddistrict.com>
parents:
diff changeset
25 end);