view mod_auth_token/token_auth_utils.lib.lua @ 6352:525655adfd3e

mod_report_affiliations: Fix traceback a non-user is sending a presence For now we won’t touch their presence instead of emiting this traceback: error Traceback[s2s]: /usr/lib/prosody/core/rostermanager.lua:275: attempt to concatenate a nil value (local 'username') stack traceback: /usr/lib/prosody/core/rostermanager.lua:275: in function 'prosody.core.rostermanager.is_user_subscribed' ...ules/mod_report_affiliations/mod_report_affiliations.lua:116: in field '?' /usr/lib/prosody/util/events.lua:81: in function </usr/lib/prosody/util/events.lua:77> (...tail calls...) /usr/lib/prosody/core/stanza_router.lua:184: in upvalue 'core_post_stanza' /usr/lib/prosody/modules/mod_presence.lua:244: in function </usr/lib/prosody/modules/mod_presence.lua:231> (...tail calls...) /usr/lib/prosody/util/events.lua:81: in function </usr/lib/prosody/util/events.lua:77> (...tail calls...) /usr/lib/prosody/core/stanza_router.lua:188: in upvalue 'core_post_stanza' /usr/lib/prosody/core/stanza_router.lua:128: in upvalue 'core_process_stanza' /usr/lib/prosody/modules/mod_s2s.lua:818: in upvalue 'func' /usr/lib/prosody/util/async.lua:149: in function </usr/lib/prosody/util/async.lua:147>
author Link Mauve <linkmauve@linkmauve.fr>
date Tue, 30 Dec 2025 13:19:43 +0100
parents 0fb12a4b6106
children
line wrap: on
line source

local base64 = require "util.encodings".base64;
local hmac = require "openssl.hmac";
local luatz = require "luatz";
local otp = require "otp";

local DIGEST_TYPE = "SHA256";
local OTP_DEVIATION = 1;
local OTP_DIGITS = 8;
local OTP_INTERVAL = 30;

local nonce_cache = {};

local function check_nonce(jid, otp_value, nonce)
	-- We cache all nonces used per OTP, to ensure that a token cannot be used
	-- more than once.
	--
	-- We assume that the OTP is valid in the current time window. This is the
	-- case because we only call check_nonce *after* the OTP has been verified.
	--
	-- We only store one OTP per JID, so if a new OTP comes in, we wipe the
	-- previous OTP and its cached nonces.
	if nonce_cache[jid] == nil or nonce_cache[jid][otp_value] == nil then
		nonce_cache[jid] = {}
		nonce_cache[jid][otp_value] = {}
		nonce_cache[jid][otp_value][nonce] = true
		return true;
	end
	if nonce_cache[jid][otp_value][nonce] == true then
		return false;
	else
		nonce_cache[jid][otp_value][nonce] = true;
		return true;
	end
end


local function verify_token(username, password, otp_seed, token_secret, log)
	local totp = otp.new_totp_from_key(otp_seed, OTP_DIGITS, OTP_INTERVAL)
	local token = string.match(password, "(%d+) ")
	local otp_value = token:sub(1,8)
	local nonce = token:sub(9)
	local signature = base64.decode(string.match(password, " (.+)"))
	local jid = username.."@"..module.host

	if totp:verify(otp_value, OTP_DEVIATION, luatz.time()) then
		log("debug", "The TOTP was verified");
		local hmac_ctx = hmac.new(token_secret, DIGEST_TYPE)
		if signature == hmac_ctx:final(otp_value..nonce..jid) then
			log("debug", "The key was verified");
			if check_nonce(jid, otp_value, nonce) then
				log("debug", "The nonce was verified");
				return true;
			end
		end
	end
	log("debug", "Verification failed");
	return false;
end

return {
	OTP_DEVIATION = OTP_DIGITS,
	OTP_DIGITS = OTP_DIGITS,
	OTP_INTERVAL = OTP_INTERVAL,
	DIGEST_TYPE = DIGEST_TYPE,
	verify_token = verify_token;
}