Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5681:8cb3da7df521
mod_http_oauth2: Restrict introspection to clients own tokens
The introspection code was added before the client hash was added in
0860497152af which allows connecting tokens to clients.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 29 Oct 2023 11:20:15 +0100 |
| parents | b43c989fb69c |
| children | 527c747711f3 |
comparison
equal
deleted
inserted
replaced
| 5680:b43c989fb69c | 5681:8cb3da7df521 |
|---|---|
| 1059 -- OAuth "client" credentials | 1059 -- OAuth "client" credentials |
| 1060 if not verify_client_secret(credentials.username, credentials.password) then | 1060 if not verify_client_secret(credentials.username, credentials.password) then |
| 1061 return 401; | 1061 return 401; |
| 1062 end | 1062 end |
| 1063 | 1063 |
| 1064 local client = check_client(credentials.username); | |
| 1065 if not client then | |
| 1066 return 401; | |
| 1067 end | |
| 1068 | |
| 1064 local form_data = http.formdecode(request.body or "="); | 1069 local form_data = http.formdecode(request.body or "="); |
| 1065 local token = form_data.token; | 1070 local token = form_data.token; |
| 1066 if not token then | 1071 if not token then |
| 1067 return 400; | 1072 return 400; |
| 1068 end | 1073 end |
| 1069 | 1074 |
| 1070 local token_info = tokens.get_token_info(form_data.token); | 1075 local token_info = tokens.get_token_info(form_data.token); |
| 1071 if not token_info then | 1076 if not token_info then |
| 1072 return { headers = { content_type = "application/json" }; body = json.encode { active = false } }; | 1077 return { headers = { content_type = "application/json" }; body = json.encode { active = false } }; |
| 1078 end | |
| 1079 local token_client = token_info.grant.data.oauth2_client; | |
| 1080 if not token_client or token_client.hash ~= client.client_hash then | |
| 1081 return 403; | |
| 1073 end | 1082 end |
| 1074 | 1083 |
| 1075 return { | 1084 return { |
| 1076 headers = { content_type = "application/json" }; | 1085 headers = { content_type = "application/json" }; |
| 1077 body = json.encode { | 1086 body = json.encode { |
| 1081 scope = token_info.grant.data.oauth2_scopes; | 1090 scope = token_info.grant.data.oauth2_scopes; |
| 1082 token_type = purpose_map[token_info.purpose]; | 1091 token_type = purpose_map[token_info.purpose]; |
| 1083 exp = token.expires; | 1092 exp = token.expires; |
| 1084 iat = token.created; | 1093 iat = token.created; |
| 1085 sub = url.build({ scheme = "xmpp"; path = token_info.jid }); | 1094 sub = url.build({ scheme = "xmpp"; path = token_info.jid }); |
| 1086 aud = nil; | 1095 aud = credentials.username; |
| 1087 iss = get_issuer(); | 1096 iss = get_issuer(); |
| 1088 jti = token_info.id; | 1097 jti = token_info.id; |
| 1089 }; | 1098 }; |
| 1090 }; | 1099 }; |
| 1091 end | 1100 end |
