From b435f6d52aa7f4ca3d122bedbfbbb92b9c14ece8 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Wed, 1 Mar 2023 13:04:36 +0000
Subject: mod_tokenauth: Add SASL handler backend that can accept and verify
 tokens

This is designed for use by other modules that want to accept tokens issued
by mod_tokenauth, without duplicating all the necessary logic.
---
 plugins/mod_tokenauth.lua | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'plugins/mod_tokenauth.lua')

diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua
index fa8020bc..8b24bc17 100644
--- a/plugins/mod_tokenauth.lua
+++ b/plugins/mod_tokenauth.lua
@@ -122,3 +122,21 @@ function revoke_token(token)
 	end
 	return token_store:set(token_user, token_id, nil);
 end
+
+function sasl_handler(auth_provider, purpose, extra)
+	return function (_, username, token, realm)
+		local token_info, err = get_token_info(token);
+		if not token_info then
+			module:log("debug", "SASL handler failed to verify token: %s", err);
+			return nil, nil, extra;
+		end
+		local token_user, token_host = jid.split(token_info.jid);
+		if username ~= token_user or realm ~= token_host or (purpose and token_info.purpose ~= purpose) then
+			return nil, nil, extra;
+		end
+		if auth_provider.is_enabled and not auth_provider.is_enabled(username) then
+			return true, false, token_info;
+		end
+		return true, true, token_info;
+	end;
+end
-- 
cgit v1.2.3