aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_tokenauth.lua
Commit message (Collapse)AuthorAgeFilesLines
* mod_tokenauth: Fix saving grants after clearing expired tokensKim Alvefur2023-11-051-4/+4
| | | | | Previously the whole grant was deleted if it found one expired toke, which was not indented.
* mod_tokenauth: Set name/description on cleanup jobKim Alvefur2023-10-211-1/+1
|
* mod_tokenauth: Save grant after removing expired tokensKim Alvefur2023-10-211-0/+5
| | | | Ensures the periodic cleanup really does remove expired tokens.
* mod_tokenauth: Periodically clear out expired tokens and grantsKim Alvefur2023-10-091-0/+6
| | | | This should ensure expired grants eventually disappear.
* mod_tokenauth: Delete grants without tokens after periodKim Alvefur2023-10-161-0/+8
| | | | | | | | | | Generally it is expected that a grant would have at least one token as long as the grant is in active use. Refresh tokens issued by mod_http_oauth2 have a lifetime of one week by default, so the idea here is that if that refresh token expired and another week goes by without the grant being used, then the whole grant can be removed.
* mod_tokenauth: Clear expired tokens on grant retrievalKim Alvefur2023-10-091-1/+8
|
* mod_tokenauth: Delete grants in the wrong formats on retrievalKim Alvefur2023-10-091-0/+5
|
* mod_tokenauth: Fix revoking a single token without revoking whole grantKim Alvefur2023-07-231-4/+18
| | | | | | This appears to have been a copy-paste of the grant revocation function, or maybe the other way around. Either way, it deleted the whole grant instead of the individual token as might be expected.
* plugins: Switch to :get_option_period() for time range optionsKim Alvefur2023-07-161-1/+1
| | | | Improves readability ("1 day" vs 86400) and centralizes validation.
* mod_tokenauth: Support selection of _no_ role at allKim Alvefur2023-05-071-5/+6
| | | | | | If a grant does not have a role, we should not go and make one up. While not very useful for XMPP if you can't even login, it may be useful for OAuth2/OIDC.
* mod_tokenauth: Return error instead of session for token without roleKim Alvefur2023-05-071-1/+3
| | | | | Such a session triggers errors in module:may or other places since it is generally expected that a session must have a role.
* mod_tokenauth: Fix parsing binary part of tokensKim Alvefur2023-04-121-1/+1
| | | | | | Fixes parsing of tokens that happen to have a `;` in their secret part, otherwise it splits there and the later bit goes into the username and hitting the "Invalid token in storage" condition.
* mod_tokenauth: Only check if expiry of expiring tokensKim Alvefur2023-04-121-1/+1
| | | | | | | | Some tokens, e.g. OAuth2 refresh tokens, might not have their lifetime explicitly bounded here, but rather be bounded by the lifetime of something else, like the OAuth2 client. Open question: Would it be better to enforce a lifetime on all tokens?
* mod_tokenauth: Add API method to revoke a grant by idMatthew Wild2023-04-051-0/+7
| | | | We probably want to refactor revoke_token() to use this one in the future.
* mod_tokenauth: Add API to inspect individual grants or all of a user's grantsMatthew Wild2023-03-291-0/+18
|
* mod_tokenauth: Move grant validation to a reusable functionMatthew Wild2023-03-291-6/+25
|
* mod_tokenauth: fix traceback if password has never been changedJonas Schäfer2023-03-281-1/+1
| | | | | By checking the password_updated_at for non-nilness before using it, we avoid a nasty crash :-).
* mod_tokenauth: Fire events on grant creation and revocationMatthew Wild2023-03-281-1/+13
|
* mod_tokenauth: Fix storage API mistake in revocationKim Alvefur2023-03-281-1/+1
|
* mod_tokenauth: Fix traceback when checking expiry of tokens with no expiryMatthew Wild2023-03-271-1/+2
|
* mod_tokenauth: Refactor API to separate tokens and grantsMatthew Wild2023-03-271-115/+92
| | | | | | | This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
* mod_tokenauth: Support for creating sub-tokensMatthew Wild2023-03-261-22/+110
| | | | | | | | | | | | | | | | Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
* mod_tokenauth: return error if storage of new token failsMatthew Wild2023-03-261-1/+4
|
* mod_tokenauth: Track last access time (last time a token was used)Matthew Wild2023-03-241-3/+15
|
* plugins: Prefix module imports with prosody namespaceKim Alvefur2023-03-241-7/+7
|
* mod_tokenauth: Fix traceback in get_token_session()Kim Alvefur2023-03-211-2/+2
| | | | | | | Errors in sha256 becasue `token_secret` is nil since it was not passed to _get_validated_token_info(). Looks like a simple oversight in ebe3b2f96cad
* mod_tokenauth: Switch to new token format (invalidates existing tokens!)Matthew Wild2023-03-211-14/+35
| | | | | | | | | | | | | | The new format has the following properties: - 5 bytes longer than the previous format - The token now has separate 'id' and 'secret' parts - the token itself is no longer stored in the DB, and the secret part is hashed - The only variable length field (JID) has been moved to the end - The 'secret-token:' prefix (RFC 8959) is now included Compatibility with the old token format was not maintained, and all previously issued tokens are invalid after this commit (they will be removed from the DB if used).
* mod_tokenauth: Log error when token validation failsMatthew Wild2023-03-211-0/+3
|
* util.sasl.oauthbearer: Return username from callback instead using authzid (BC)Kim Alvefur2023-03-161-5/+7
| | | | | | | | | | | | | RFC 6120 states that > If the initiating entity does not wish to act on behalf of another > entity, it MUST NOT provide an authorization identity. Thus it seems weird to require it here. We can instead expect an username from the token data passed back from the profile. This follows the practice of util.sasl.external where the profile callback returns the selected username, making the authentication module responsible for extracting the username from the token.
* mod_tokenauth: Fix misplaced closing parenthesisKim Alvefur2023-03-021-1/+1
| | | | `type(x ~= y)` is always a string, thus truthy
* mod_tokenauth: Gracefully handle missing tokensMatthew Wild2023-03-011-0/+1
|
* mod_tokenauth: Add SASL handler backend that can accept and verify tokensMatthew Wild2023-03-011-0/+18
| | | | | This is designed for use by other modules that want to accept tokens issued by mod_tokenauth, without duplicating all the necessary logic.
* mod_tokenauth: Add some sanity checking of the new optional parametersMatthew Wild2023-03-011-0/+4
|
* mod_tokenauth: Add 'purpose' constraintMatthew Wild2023-03-011-1/+2
| | | | | | | | | | This allows tokens to be tied to specific purposes/protocols. For example, we shouldn't (without specific consideration) allow an OAuth token to be dropped into a slot expecting a FAST token. While FAST doesn't currently use mod_tokenauth, it and others may do in the future. It's better to be explicit about what kind of token code is issuing or expecting.
* mod_tokenauth: Allow attaching an arbitrary data table to a tokenMatthew Wild2022-10-131-1/+2
|
* mod_tokenauth: Remove expired tokens from storageMatthew Wild2022-10-061-0/+2
|
* mod_tokenauth: Invalidate tokens issued before most recent password changeMatthew Wild2022-10-061-0/+6
| | | | | | This is a security improvement, to ensure that sessions authenticated using a token (note: not currently possible in stock Prosody) are invalidated just like password-authenticated sessions are.
* mod_authz_internal, and more: New iteration of role APIMatthew Wild2022-08-171-1/+1
| | | | | | | | | | | These changes to the API (hopefully the last) introduce a cleaner separation between the user's primary (default) role, and their secondary (optional) roles. To keep the code sane and reduce complexity, a data migration is needed for people using stored roles in 0.12. This can be performed with prosodyctl mod_authz_internal migrate <host>
* mod_tokenauth: New API that better fits how modules are using token authMatthew Wild2022-07-201-12/+40
| | | | | | This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
* mod_tokenauth: Track creation time of tokensMatthew Wild2020-02-281-0/+1
|
* mod_tokenauth: Handle tokens issued to bare hosts (eg components)Kim Alvefur2020-02-281-1/+1
|
* mod_authtokens: Rename to mod_tokenauth for consistency with mod_saslauthMatthew Wild2020-02-261-0/+81