From a58a6d2317ea9ca99a3e580db89303ee8041a7d6 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Wed, 1 Mar 2023 13:01:21 +0000 Subject: mod_tokenauth: Add 'purpose' constraint This allows tokens to be tied to specific purposes/protocols. For example, we shouldn't (without specific consideration) allow an OAuth token to be dropped into a slot expecting a FAST token. While FAST doesn't currently use mod_tokenauth, it and others may do in the future. It's better to be explicit about what kind of token code is issuing or expecting. --- plugins/mod_tokenauth.lua | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua index 9cd73570..5edf51fd 100644 --- a/plugins/mod_tokenauth.lua +++ b/plugins/mod_tokenauth.lua @@ -13,7 +13,7 @@ local function select_role(username, host, role) return usermanager.get_user_role(username, host); end -function create_jid_token(actor_jid, token_jid, token_role, token_ttl, token_data) +function create_jid_token(actor_jid, token_jid, token_role, token_ttl, token_data, token_purpose) token_jid = jid.prep(token_jid); if not actor_jid or token_jid ~= actor_jid and not jid.compare(token_jid, actor_jid) then return nil, "not-authorized"; @@ -30,6 +30,7 @@ function create_jid_token(actor_jid, token_jid, token_role, token_ttl, token_dat created = os.time(); expires = token_ttl and (os.time() + token_ttl) or nil; jid = token_jid; + purpose = token_purpose; resource = token_resource; role = token_role; -- cgit v1.2.3