view mod_http_authentication/mod_http_authentication.lua @ 4210:a0937b5cfdcb

mod_invites_page: Remove preauth URI button This button is incompatible with the majority of XMPP clients around, yet based on feedback from users, many are drawn to click it when they have any XMPP client installed already. In the case where the user already has software installed, we would prefer them to select it from the software list so they can follow the setup process suited to their specific client (we already track which software supports preauth URIs). If their client is not listed, they can still use the manual registration link instead.
author Matthew Wild <mwild1@gmail.com>
date Fri, 16 Oct 2020 11:03:38 +0100
parents 05725785e3a6
children
line wrap: on
line source


module:set_global();

local b64_decode = require "util.encodings".base64.decode;
local server = require "net.http.server";

local credentials = module:get_option_string("http_credentials", "username:secretpassword");
local unauthed_endpoints = module:get_option_set("unauthenticated_http_endpoints", { "/http-bind", "/http-bind/" })._items;

module:wrap_object_event(server._events, false, function (handlers, event_name, event_data)
	local request = event_data.request;
	if event_name ~= "http-error" and request and not unauthed_endpoints[request.path] then
		local response = event_data.response;
		local headers = request.headers;
		if not headers.authorization then
			response.headers.www_authenticate = ("Basic realm=%q"):format(module.host.."/"..module.name);
			return 401;
		end
		local user_password = b64_decode(headers.authorization:match("%s(%S*)$"));
		if user_password ~= credentials then
			return 401;
		end
	end
	return handlers(event_name, event_data);
end);