aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2022-07-20 10:52:17 +0100
committerMatthew Wild <mwild1@gmail.com>2022-07-20 10:52:17 +0100
commita0f2f9ee193826cfb595bf93e237e33a926214f0 (patch)
treee4b69c423fbe764c868237eb009a66406777105b
parentc0b857e5fb2a670d0a7a6ef29977ee58528e842f (diff)
downloadprosody-a0f2f9ee193826cfb595bf93e237e33a926214f0.tar.gz
prosody-a0f2f9ee193826cfb595bf93e237e33a926214f0.zip
mod_tokenauth: New API that better fits how modules are using token auth
This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
-rw-r--r--plugins/mod_tokenauth.lua52
1 files changed, 40 insertions, 12 deletions
diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua
index c04a1aa4..6610036c 100644
--- a/plugins/mod_tokenauth.lua
+++ b/plugins/mod_tokenauth.lua
@@ -1,10 +1,19 @@
local id = require "util.id";
local jid = require "util.jid";
local base64 = require "util.encodings".base64;
+local usermanager = require "core.usermanager";
+local generate_identifier = require "util.id".short;
local token_store = module:open_store("auth_tokens", "map");
-function create_jid_token(actor_jid, token_jid, token_scope, token_ttl)
+local function select_role(username, host, role)
+ if role then
+ return prosody.hosts[host].authz.get_role_by_name(role);
+ end
+ return usermanager.get_user_default_role(username, host);
+end
+
+function create_jid_token(actor_jid, token_jid, token_role, token_ttl)
token_jid = jid.prep(token_jid);
if not actor_jid or token_jid ~= actor_jid and not jid.compare(token_jid, actor_jid) then
return nil, "not-authorized";
@@ -21,13 +30,9 @@ function create_jid_token(actor_jid, token_jid, token_scope, token_ttl)
created = os.time();
expires = token_ttl and (os.time() + token_ttl) or nil;
jid = token_jid;
- session = {
- username = token_username;
- host = token_host;
- resource = token_resource;
- auth_scope = token_scope;
- };
+ resource = token_resource;
+ role = token_role;
};
local token_id = id.long();
@@ -46,11 +51,7 @@ local function parse_token(encoded_token)
return token_id, token_user, token_host;
end
-function get_token_info(token)
- local token_id, token_user, token_host = parse_token(token);
- if not token_id then
- return nil, "invalid-token-format";
- end
+local function _get_parsed_token_info(token_id, token_user, token_host)
if token_host ~= module.host then
return nil, "invalid-host";
end
@@ -70,6 +71,33 @@ function get_token_info(token)
return token_info
end
+function get_token_info(token)
+ local token_id, token_user, token_host = parse_token(token);
+ if not token_id then
+ return nil, "invalid-token-format";
+ end
+ return _get_parsed_token_info(token_id, token_user, token_host);
+end
+
+function get_token_session(token, resource)
+ local token_id, token_user, token_host = parse_token(token);
+ if not token_id then
+ return nil, "invalid-token-format";
+ end
+
+ local token_info, err = _get_parsed_token_info(token_id, token_user, token_host);
+ if not token_info then return nil, err; end
+
+ return {
+ username = token_user;
+ host = token_host;
+ resource = token_info.resource or resource or generate_identifier();
+
+ role = select_role(token_user, token_host, token_info.role);
+ };
+end
+
+
function revoke_token(token)
local token_id, token_user, token_host = parse_token(token);
if not token_id then