| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The new format has the following properties:
- 5 bytes longer than the previous format
- The token now has separate 'id' and 'secret' parts - the token itself is no
longer stored in the DB, and the secret part is hashed
- The only variable length field (JID) has been moved to the end
- The 'secret-token:' prefix (RFC 8959) is now included
Compatibility with the old token format was not maintained, and all previously
issued tokens are invalid after this commit (they will be removed from the DB
if used).
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Following the new behavior in auth_internal_hashed (c8f59ce7d3cf), the account
will be created and disabled, instead of returning an error telling password
being nil when calling saslprep().
Note that mod_auth_internal_plain does not have full support for
enabled/disabled accounts, but that may be fixed in subsequent commits.
|
| |
| |
| |
| |
| |
| |
| | |
namespaces
Prevents modules being initialized twice, ensuring that
require"prosody.util.foo" == require"util.foo"
|
| |
| |
| |
| |
| |
| |
| | |
Nice to drop that patch.
Will allow loading this to do something both when installed under a
prosody directory or from a source checkout.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Actually `hg mv`-ing all the files is disruptive, basically breaking
everything from rebasing all my WIP draft commits to the package
building. So instead, what if we didn't and instead rewrote package
names as they are `require()`-d?
Debian packages produced by the Prosody are already installed into this
structure so much will Just Work if all require calls are updated.
|
| |
| |
| |
| |
| | |
Why did it call a function defined in the same module through
usermanager?
|
| |
| |
| |
| |
| |
| |
| | |
For potential future use.
Used for logging into a different account than the one used for
authentication.
|
| |
| |
| |
| | |
Absolute references, weird fractions, unevaluatedProperties???
|
| |
| |
| |
| | |
These seem to be using absolute URI references, Not Yet Implemented
|
| | |
|
| | |
|
| |
| |
| |
| | |
Partly copied from util.sasl.scram and then reduced a bit.
|
| |
| |
| |
| |
| |
| | |
To keep them sorted.
Not pedantic at all!
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
RFC 6120 states that
> If the initiating entity does not wish to act on behalf of another
> entity, it MUST NOT provide an authorization identity.
Thus it seems weird to require it here. We can instead expect an
username from the token data passed back from the profile.
This follows the practice of util.sasl.external where the profile
callback returns the selected username, making the authentication module
responsible for extracting the username from the token.
|
| | |
|
| |
| |
| |
| |
| |
| | |
This allows token-aware things to access extra information about the
authentication, such as when the token is due to expire and the attached
custom 'data'.
|
| | |
|
| | |
|
| |
| |
| |
| | |
Could be useful for e.g. #1772
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
Turns out we had a definition of that already
|
| | |
|
| |
| |
| |
| |
| |
| | |
E.g. module:info("http") with many http modules loaded would show a lot
of duplication, as each module would be listed for each host, even if
not actually enabled on that host.
|
| | |
|
| |
| |
| |
| |
| | |
Made it reject the primary role since it compares against a non-existent
field, i.e. nil.
|
|\| |
|
| | |
|
| |
| |
| |
| | |
Why was this module loaded? Now you can find out!
|
| |
| |
| |
| |
| | |
Useful to know why a module was auto-loaded without having to dig trough
all other modules for the one that depends on it.
|
| |
| |
| |
| |
| |
| |
| |
| | |
Some of the OAuth stuff highlights a small need to retrieve a list of
roles somehow. Handy if you ever need a role selector in adhoc or
something.
Unless there's some O(n) thing we were avoiding?
|
| |
| |
| |
| | |
`type(x ~= y)` is always a string, thus truthy
|
| |
| |
| |
| |
| |
| | |
E.g. if you were to just pass "username" without @hostname, the split
will return nil, "username" and the nil gets passed to saslprep() and it
does not like that.
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
This is designed for use by other modules that want to accept tokens issued
by mod_tokenauth, without duplicating all the necessary logic.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows tokens to be tied to specific purposes/protocols. For example, we
shouldn't (without specific consideration) allow an OAuth token to be dropped
into a slot expecting a FAST token.
While FAST doesn't currently use mod_tokenauth, it and others may do in the
future. It's better to be explicit about what kind of token code is issuing or
expecting.
|
| |
| |
| |
| | |
The token layer supports tokens that are tied to a given resource.
|
| | |
|
| |
| |
| |
| | |
Enables UI in clients supporting XEP-0050
|
| | |
|
| |
| |
| |
| | |
First proper UI to enable/disable, allowing it to be tested.
|
| |
| |
| |
| |
| |
| |
| |
| | |
We decided that at the first stage, accounts that are disabled should
simply be prevented from authenticating, thus they should also be
prevented from having connected sessions. Since this is aimed to be a
moderation action for cases of abuse, they shouldn't be allowed to
continue being connected.
|
| |
| |
| |
| | |
Allow modules to act on this state change, e.g. kick accounts etc.
|
| |
| |
| |
| | |
Calling into the auth module, where available.
|
| | |
|