Mercurial > prosody-modules
comparison mod_client_management/mod_client_management.lua @ 5305:9b9f35aaeb91
mod_client_management: Add support for revocation of clients (when possible)
We decided to keep the unified listing of "clients", which includes both SASL2
clients and OAuth grants, etc. To a user, or someone wanting to manage what
can access their account, they are largely equivalent.
To accomplish this technically, we add a prefix to the id to state what type
it really is.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Wed, 05 Apr 2023 19:42:16 +0100 |
| parents | 717ff9468464 |
| children | 210aeb5afe42 |
comparison
equal
deleted
inserted
replaced
| 5304:717ff9468464 | 5305:9b9f35aaeb91 |
|---|---|
| 228 -- Go through known clients, check whether they could possibly log in | 228 -- Go through known clients, check whether they could possibly log in |
| 229 for client_id, client in pairs(clients or {}) do --luacheck: ignore 213/client_id | 229 for client_id, client in pairs(clients or {}) do --luacheck: ignore 213/client_id |
| 230 local active = is_client_active(client); | 230 local active = is_client_active(client); |
| 231 if active then | 231 if active then |
| 232 client.type = "session"; | 232 client.type = "session"; |
| 233 client.id = "client/"..client.id; | |
| 233 client.active = active; | 234 client.active = active; |
| 234 table.insert(active_clients, client); | 235 table.insert(active_clients, client); |
| 235 if active.grant then | 236 if active.grant then |
| 236 used_grants[active.grant.id] = true; | 237 used_grants[active.grant.id] = true; |
| 237 end | 238 end |
| 240 | 241 |
| 241 -- Next, account for any grants that have been issued, but never actually logged in | 242 -- Next, account for any grants that have been issued, but never actually logged in |
| 242 for grant_id, grant in pairs(tokenauth.get_user_grants(username) or {}) do | 243 for grant_id, grant in pairs(tokenauth.get_user_grants(username) or {}) do |
| 243 if not used_grants[grant_id] then -- exclude grants already accounted for | 244 if not used_grants[grant_id] then -- exclude grants already accounted for |
| 244 table.insert(active_clients, { | 245 table.insert(active_clients, { |
| 245 id = grant_id; | 246 id = "grant/"..grant.id; |
| 246 type = "access"; | 247 type = "access"; |
| 247 first_seen = grant.created; | 248 first_seen = grant.created; |
| 248 last_seen = grant.accessed; | 249 last_seen = grant.accessed; |
| 249 active = { | 250 active = { |
| 250 grant = grant; | 251 grant = grant; |
| 270 end); | 271 end); |
| 271 | 272 |
| 272 return active_clients; | 273 return active_clients; |
| 273 end | 274 end |
| 274 | 275 |
| 276 function revoke_client_access(username, client_selector) | |
| 277 if client_selector.id then | |
| 278 local c_type, c_id = client_selector.id:match("^(%w+)/(.+)$"); | |
| 279 if c_type == "client" then | |
| 280 local client = client_store:get_key(username, c_id); | |
| 281 if not client then | |
| 282 return nil, "item-not-found"; | |
| 283 end | |
| 284 local status = is_client_active(client); | |
| 285 if status.connected then | |
| 286 local ok, err = prosody.full_sessions[client.full_jid]:close(); | |
| 287 if not ok then return ok, err; end | |
| 288 end | |
| 289 if status.fast then | |
| 290 local ok = mod_fast.revoke_fast_tokens(username, client.id); | |
| 291 if not ok then return nil, "internal-server-error"; end | |
| 292 end | |
| 293 if status.grant then | |
| 294 local ok = tokenauth.revoke_grant(username, status.grant.id); | |
| 295 if not ok then return nil, "internal-server-error"; end | |
| 296 end | |
| 297 return true; | |
| 298 elseif c_type == "grant" then | |
| 299 local grant = tokenauth.get_grant_info(username, c_id); | |
| 300 if not grant then | |
| 301 return nil, "item-not-found"; | |
| 302 end | |
| 303 local ok = tokenauth.revoke_grant(username, c_id); | |
| 304 if not ok then return nil, "internal-server-error"; end | |
| 305 return true; | |
| 306 end | |
| 307 end | |
| 308 | |
| 309 return nil, "item-not-found"; | |
| 310 end | |
| 311 | |
| 275 -- Protocol | 312 -- Protocol |
| 276 | 313 |
| 277 local xmlns_manage_clients = "xmpp:prosody.im/protocol/manage-clients"; | 314 local xmlns_manage_clients = "xmpp:prosody.im/protocol/manage-clients"; |
| 278 | 315 |
| 279 module:hook("iq-get/self/xmpp:prosody.im/protocol/manage-clients:list", function (event) | 316 module:hook("iq-get/self/xmpp:prosody.im/protocol/manage-clients:list", function (event) |
