Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 6204:4f0ed0e3ad5a
mod_http_oauth2: Require client authentication for password grant
| author | magicfelix <felix@felix-zauberer.de> |
|---|---|
| date | Sat, 19 Apr 2025 16:42:21 +0200 |
| parents | a1a33f0f6f6e |
| children | c1b94dd6e53b |
comparison
equal
deleted
inserted
replaced
| 6203:5ab0e560027a | 6204:4f0ed0e3ad5a |
|---|---|
| 395 -- Access tokens are delivered via redirect when using the implict flow, not | 395 -- Access tokens are delivered via redirect when using the implict flow, not |
| 396 -- via the token endpoint, so how did you get here? | 396 -- via the token endpoint, so how did you get here? |
| 397 return oauth_error("invalid_request"); | 397 return oauth_error("invalid_request"); |
| 398 end | 398 end |
| 399 | 399 |
| 400 local function make_client_secret(client_id) --> client_secret | |
| 401 return hashes.hmac_sha256(verification_key, client_id, true); | |
| 402 end | |
| 403 | |
| 404 local function verify_client_secret(client_id, client_secret) | |
| 405 return hashes.equals(make_client_secret(client_id), client_secret); | |
| 406 end | |
| 407 | |
| 400 function grant_type_handlers.password(params) | 408 function grant_type_handlers.password(params) |
| 409 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | |
| 410 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end | |
| 411 | |
| 412 local client = check_client(params.client_id); | |
| 413 if not client then | |
| 414 return oauth_error("invalid_client", "incorrect credentials"); | |
| 415 end | |
| 416 | |
| 417 if not verify_client_secret(params.client_id, params.client_secret) then | |
| 418 module:log("debug", "client_secret mismatch"); | |
| 419 return oauth_error("invalid_client", "incorrect credentials"); | |
| 420 end | |
| 421 | |
| 401 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)")); | 422 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)")); |
| 402 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'")); | 423 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'")); |
| 403 local request_username, request_host, request_resource = jid.prepped_split(request_jid); | 424 local request_username, request_host, request_resource = jid.prepped_split(request_jid); |
| 404 | 425 |
| 405 if not (request_username and request_host) or request_host ~= module.host then | 426 if not (request_username and request_host) or request_host ~= module.host then |
| 501 cache_control = "no-store"; | 522 cache_control = "no-store"; |
| 502 pragma = "no-cache"; | 523 pragma = "no-cache"; |
| 503 location = url.build(redirect); | 524 location = url.build(redirect); |
| 504 }; | 525 }; |
| 505 } | 526 } |
| 506 end | |
| 507 | |
| 508 local function make_client_secret(client_id) --> client_secret | |
| 509 return hashes.hmac_sha256(verification_key, client_id, true); | |
| 510 end | |
| 511 | |
| 512 local function verify_client_secret(client_id, client_secret) | |
| 513 return hashes.equals(make_client_secret(client_id), client_secret); | |
| 514 end | 527 end |
| 515 | 528 |
| 516 function grant_type_handlers.authorization_code(params) | 529 function grant_type_handlers.authorization_code(params) |
| 517 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end | 530 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end |
| 518 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end | 531 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end |
