aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_tokenauth.lua
Commit message (Collapse)AuthorAgeFilesLines
* mod_tokenauth: Track last access time (last time a token was used)Matthew Wild2023-03-241-3/+15
|
* plugins: Prefix module imports with prosody namespaceKim Alvefur2023-03-241-7/+7
|
* mod_tokenauth: Fix traceback in get_token_session()Kim Alvefur2023-03-211-2/+2
| | | | | | | Errors in sha256 becasue `token_secret` is nil since it was not passed to _get_validated_token_info(). Looks like a simple oversight in ebe3b2f96cad
* mod_tokenauth: Switch to new token format (invalidates existing tokens!)Matthew Wild2023-03-211-14/+35
| | | | | | | | | | | | | | The new format has the following properties: - 5 bytes longer than the previous format - The token now has separate 'id' and 'secret' parts - the token itself is no longer stored in the DB, and the secret part is hashed - The only variable length field (JID) has been moved to the end - The 'secret-token:' prefix (RFC 8959) is now included Compatibility with the old token format was not maintained, and all previously issued tokens are invalid after this commit (they will be removed from the DB if used).
* mod_tokenauth: Log error when token validation failsMatthew Wild2023-03-211-0/+3
|
* util.sasl.oauthbearer: Return username from callback instead using authzid (BC)Kim Alvefur2023-03-161-5/+7
| | | | | | | | | | | | | RFC 6120 states that > If the initiating entity does not wish to act on behalf of another > entity, it MUST NOT provide an authorization identity. Thus it seems weird to require it here. We can instead expect an username from the token data passed back from the profile. This follows the practice of util.sasl.external where the profile callback returns the selected username, making the authentication module responsible for extracting the username from the token.
* mod_tokenauth: Fix misplaced closing parenthesisKim Alvefur2023-03-021-1/+1
| | | | `type(x ~= y)` is always a string, thus truthy
* mod_tokenauth: Gracefully handle missing tokensMatthew Wild2023-03-011-0/+1
|
* mod_tokenauth: Add SASL handler backend that can accept and verify tokensMatthew Wild2023-03-011-0/+18
| | | | | This is designed for use by other modules that want to accept tokens issued by mod_tokenauth, without duplicating all the necessary logic.
* mod_tokenauth: Add some sanity checking of the new optional parametersMatthew Wild2023-03-011-0/+4
|
* mod_tokenauth: Add 'purpose' constraintMatthew Wild2023-03-011-1/+2
| | | | | | | | | | This allows tokens to be tied to specific purposes/protocols. For example, we shouldn't (without specific consideration) allow an OAuth token to be dropped into a slot expecting a FAST token. While FAST doesn't currently use mod_tokenauth, it and others may do in the future. It's better to be explicit about what kind of token code is issuing or expecting.
* mod_tokenauth: Allow attaching an arbitrary data table to a tokenMatthew Wild2022-10-131-1/+2
|
* mod_tokenauth: Remove expired tokens from storageMatthew Wild2022-10-061-0/+2
|
* mod_tokenauth: Invalidate tokens issued before most recent password changeMatthew Wild2022-10-061-0/+6
| | | | | | This is a security improvement, to ensure that sessions authenticated using a token (note: not currently possible in stock Prosody) are invalidated just like password-authenticated sessions are.
* mod_authz_internal, and more: New iteration of role APIMatthew Wild2022-08-171-1/+1
| | | | | | | | | | | These changes to the API (hopefully the last) introduce a cleaner separation between the user's primary (default) role, and their secondary (optional) roles. To keep the code sane and reduce complexity, a data migration is needed for people using stored roles in 0.12. This can be performed with prosodyctl mod_authz_internal migrate <host>
* mod_tokenauth: New API that better fits how modules are using token authMatthew Wild2022-07-201-12/+40
| | | | | | This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
* mod_tokenauth: Track creation time of tokensMatthew Wild2020-02-281-0/+1
|
* mod_tokenauth: Handle tokens issued to bare hosts (eg components)Kim Alvefur2020-02-281-1/+1
|
* mod_authtokens: Rename to mod_tokenauth for consistency with mod_saslauthMatthew Wild2020-02-261-0/+81