Updated usermanager with DIGEST-MD5 support

core/usermanager.lua

@@ -2,22 +2,57 @@
 require "util.datamanager"
 local datamanager = datamanager;
 local log = require "util.logger".init("usermanager");
+local error = error;
+local hashes = require "util.hashes";
 
 module "usermanager"
 
-function validate_credentials(host, username, password)
+function validate_credentials(host, username, password, method)
 	log("debug", "User '%s' is being validated", username);
 	local credentials = datamanager.load(username, host, "accounts") or {};
-	if password == credentials.password then return true; end
-	return false;
+	if method == nil then method = "PLAIN"; end
+	if method == "PLAIN" and credentials.password then -- PLAIN, do directly
+		if password == credentials.password then
+			return true;
+		else
+			return nil, "Auth failed. Invalid username or password.";
+		end
+	end
+	-- must do md5
+	if not hashes.md5 then
+		return nil, "Server misconfiguration, the md5 library is not available.";
+	end
+	-- make credentials md5
+	local pwd = credentials.password;
+	if not pwd then pwd = credentials.md5; else pwd = hashes.md5(pwd); end
+	-- make password md5
+	if method == "PLAIN" then
+		password = hashes.md5(password or "");
+	elseif method ~= "DIGEST-MD5" then
+		return nil, "Unsupported auth method";
+	end
+	-- compare
+	if password == pwd then
+		return true;
+	else
+		return nil, "Auth failed. Invalid username or password.";
+	end
 end
 
 function user_exists(username, host)
-	return datamanager.load(username, host, "accounts") ~= nil;
+	return datamanager.load(username, host, "accounts") ~= nil; -- FIXME also check for empty credentials
 end
 
 function create_user(username, password, host)
 	return datamanager.store(username, host, "accounts", {password = password});
 end
 
-return _M;
+function get_supported_methods(host)
+	local methods = {["PLAIN"] = true}; -- TODO this should be taken from the config
+	if hashes.md5 then
+		methods["DIGEST-MD5"] = true;
+	end
+	return methods;
+end
+
+return _M;