From 3fbec27699fe712b175ef17a8f20da9e61095d06 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Fri, 1 Dec 2023 23:43:18 +0100
Subject: mod_saslauth: Fire event at start of authentication attempt

As extension point for rate limiting and similar checks, so they can
hook a single event instead of <{sasl1}auth> or stream features, which
might not be fired in case of SASL2 or e.g. HTTP based login.
---
 plugins/mod_saslauth.lua | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'plugins')

diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index 8b85ca41..4cdbfe67 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -215,6 +215,12 @@ module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
 
 	if session.type ~= "c2s_unauthed" or module:get_host_type() ~= "local" then return; end
 
+	-- event for preemptive checks, rate limiting etc
+	module:fire_event("authentication-attempt", event);
+	if event.allowed == false then
+		session.send(build_reply("failure", event.error_condition or "not-authorized", event.error_text));
+		return true;
+	end
 	if session.sasl_handler and session.sasl_handler.selected then
 		session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one
 	end
-- 
cgit v1.2.3