aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2020-02-26 17:56:23 +0000
committerMatthew Wild <mwild1@gmail.com>2020-02-26 17:56:23 +0000
commitbd69308bf1e9cc6a84620d74a51b7621d55db685 (patch)
tree1bf114ec7ab3e26f90ab01f67503efac256a1027
parent80a38cc8731fcb38f9ed7f4aa20c8e9a2071467f (diff)
downloadprosody-bd69308bf1e9cc6a84620d74a51b7621d55db685.tar.gz
prosody-bd69308bf1e9cc6a84620d74a51b7621d55db685.zip
mod_authtokens: New module for managing auth tokens
-rw-r--r--plugins/mod_authtokens.lua81
1 files changed, 81 insertions, 0 deletions
diff --git a/plugins/mod_authtokens.lua b/plugins/mod_authtokens.lua
new file mode 100644
index 00000000..8e516924
--- /dev/null
+++ b/plugins/mod_authtokens.lua
@@ -0,0 +1,81 @@
+local id = require "util.id";
+local jid = require "util.jid";
+local base64 = require "util.encodings".base64;
+
+local token_store = module:open_store("auth_tokens", "map");
+
+function create_jid_token(actor_jid, token_jid, token_scope, token_ttl)
+ token_jid = jid.prep(token_jid);
+ if not actor_jid or token_jid ~= actor_jid and not jid.compare(token_jid, actor_jid) then
+ return nil, "not-authorized";
+ end
+
+ local token_username, token_host, token_resource = jid.split(token_jid);
+
+ if token_host ~= module.host then
+ return nil, "invalid-host";
+ end
+
+ local token_info = {
+ owner = actor_jid;
+ expires = token_ttl and (os.time() + token_ttl) or nil;
+ jid = token_jid;
+ session = {
+ username = token_username;
+ host = token_host;
+ resource = token_resource;
+
+ auth_scope = token_scope;
+ };
+ };
+
+ local token_id = id.long();
+ local token = base64.encode("1;"..token_username.."@"..token_host..";"..token_id);
+ token_store:set(token_username, token_id, token_info);
+
+ return token, token_info;
+end
+
+local function parse_token(encoded_token)
+ local token = base64.decode(encoded_token);
+ if not token then return nil; end
+ local token_jid, token_id = token:match("^1;([^;]+);(.+)$");
+ if not token_jid then return nil; end
+ local token_user, token_host = jid.split(token_jid);
+ return token_id, token_user, token_host;
+end
+
+function get_token_info(token)
+ local token_id, token_user, token_host = parse_token(token);
+ if not token_id then
+ return nil, "invalid-token-format";
+ end
+ if token_host ~= module.host then
+ return nil, "invalid-host";
+ end
+
+ local token_info, err = token_store:get(token_user, token_id);
+ if not token_info then
+ if err then
+ return nil, "internal-error";
+ end
+ return nil, "not-authorized";
+ end
+
+ if token_info.expires and token_info.expires < os.time() then
+ return nil, "not-authorized";
+ end
+
+ return token_info
+end
+
+function revoke_token(token)
+ local token_id, token_user, token_host = parse_token(token);
+ if not token_id then
+ return nil, "invalid-token-format";
+ end
+ if token_host ~= module.host then
+ return nil, "invalid-host";
+ end
+ return token_store:set(token_user, token_id, nil);
+end