From b435f6d52aa7f4ca3d122bedbfbbb92b9c14ece8 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Wed, 1 Mar 2023 13:04:36 +0000 Subject: mod_tokenauth: Add SASL handler backend that can accept and verify tokens This is designed for use by other modules that want to accept tokens issued by mod_tokenauth, without duplicating all the necessary logic. --- plugins/mod_tokenauth.lua | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'plugins') diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua index fa8020bc..8b24bc17 100644 --- a/plugins/mod_tokenauth.lua +++ b/plugins/mod_tokenauth.lua @@ -122,3 +122,21 @@ function revoke_token(token) end return token_store:set(token_user, token_id, nil); end + +function sasl_handler(auth_provider, purpose, extra) + return function (_, username, token, realm) + local token_info, err = get_token_info(token); + if not token_info then + module:log("debug", "SASL handler failed to verify token: %s", err); + return nil, nil, extra; + end + local token_user, token_host = jid.split(token_info.jid); + if username ~= token_user or realm ~= token_host or (purpose and token_info.purpose ~= purpose) then + return nil, nil, extra; + end + if auth_provider.is_enabled and not auth_provider.is_enabled(username) then + return true, false, token_info; + end + return true, true, token_info; + end; +end -- cgit v1.2.3