view mod_tlsfail/mod_tlsfail.lua @ 5447:aa4828f040c5

mod_http_oauth2: Enforce client scope restrictions in authorization When registering a client, a scope field can be included as a promise to only ever use those. Here we enforce that promise, if given, ensuring a client can't request or be granted a scope it didn't provide in its registration. While currently there is no restrictions at registration time, this could be changed in the future in various ways.
author Kim Alvefur <zash@zash.se>
date Thu, 11 May 2023 19:33:44 +0200
parents 7009e16192fa
children
line wrap: on
line source

local st = require "util.stanza";

local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
local starttls_attr = { xmlns = xmlns_starttls };
local s2s_feature = st.stanza("starttls", starttls_attr);
local starttls_failure = st.stanza("failure", starttls_attr);

module:hook("stream-features", function(event)
	local features = event.features;
	features:add_child(s2s_feature);
end);

module:hook("s2s-stream-features", function(event)
	local features = event.features;
	features:add_child(s2s_feature);
end);

-- Hook <starttls/>
module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event)
	local origin = event.origin;
	(origin.sends2s or origin.send)(starttls_failure);
	origin:close();
	return true;
end);