mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-04 13:47:41 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_tokenauth: Switch to new token format (invalidates existing tokens!)

Browse source 
The new format has the following properties:

- 5 bytes longer than the previous format
- The token now has separate 'id' and 'secret' parts - the token itself is no
  longer stored in the DB, and the secret part is hashed
- The only variable length field (JID) has been moved to the end
- The 'secret-token:' prefix (RFC 8959) is now included

Compatibility with the old token format was not maintained, and all previously
issued tokens are invalid after this commit (they will be removed from the DB
if used).
This commit is contained in:
Matthew Wild 2023-03-21 14:33:29 +00:00
parent 5019bacff6
commit fc80e83b42
1 changed files with 35 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

49
plugins/mod_tokenauth.lua
View file

@ -1,6 +1,8 @@
local base64 = require "util.encodings".base64;
local hashes = require "util.hashes";
local id = require "util.id"; local id = require "util.id";
local jid = require "util.jid"; local jid = require "util.jid";
local base64 = require "util.encodings".base64; local random = require "util.random";
local usermanager = require "core.usermanager"; local usermanager = require "core.usermanager";
local generate_identifier = require "util.id".short; local generate_identifier = require "util.id".short;
@ -29,7 +31,11 @@ function create_jid_token(actor_jid, token_jid, token_role, token_ttl, token_dat
return nil, "bad-request"; return nil, "bad-request";
end end
local token_id = id.short();
local token_info = { local token_info = {
id = token_id;
owner = actor_jid; owner = actor_jid;
created = os.time(); created = os.time();
expires = token_ttl and (os.time() + token_ttl) or nil; expires = token_ttl and (os.time() + token_ttl) or nil;
@ -41,36 +47,51 @@ function create_jid_token(actor_jid, token_jid, token_role, token_ttl, token_dat
data = token_data; data = token_data;
}; };
local token_id = id.long(); local token_secret = random.bytes(18);
local token = base64.encode("1;"..jid.join(token_username, token_host)..";"..token_id); local token = "secret-token:"..base64.encode("2;"..token_id..";"..token_secret..";"..jid.join(token_username, token_host));
token_store:set(token_username, token_id, token_info); token_store:set(token_username, token_id, {
secret_sha256 = hashes.sha256(token_secret, true);
token_info = token_info
});
return token, token_info; return token, token_info;
end end
local function parse_token(encoded_token) local function parse_token(encoded_token)
if not encoded_token then return nil; end if not encoded_token then return nil; end
local token = base64.decode(encoded_token); local encoded_data = encoded_token:match("^secret%-token:(.+)$");
if not encoded_data then return nil; end
local token = base64.decode(encoded_data);
if not token then return nil; end if not token then return nil; end
local token_jid, token_id = token:match("^1;([^;]+);(.+)$"); local token_id, token_secret, token_jid = token:match("^2;([^;]+);([^;]+);(.+)$");
if not token_jid then return nil; end if not token_id then return nil; end
local token_user, token_host = jid.split(token_jid); local token_user, token_host = jid.split(token_jid);
return token_id, token_user, token_host; return token_id, token_user, token_host, token_secret;
end end
local function _get_parsed_token_info(token_id, token_user, token_host) local function _get_validated_token_info(token_id, token_user, token_host, token_secret)
if token_host ~= module.host then if token_host ~= module.host then
return nil, "invalid-host"; return nil, "invalid-host";
end end
local token_info, err = token_store:get(token_user, token_id); local token, err = token_store:get(token_user, token_id);
if not token_info then if not token then
if err then if err then
return nil, "internal-error"; return nil, "internal-error";
end end
return nil, "not-authorized"; return nil, "not-authorized";
elseif not token.secret_sha256 then -- older token format
token_store:set(token_user, token_id, nil);
return nil, "not-authorized";
end end
-- Check provided secret
if not hashes.equals(hashes.sha256(token_secret, true), token.secret_sha256) then
return nil, "not-authorized";
end
local token_info = token.token_info;
if token_info.expires and token_info.expires < os.time() then if token_info.expires and token_info.expires < os.time() then
token_store:set(token_user, token_id, nil); token_store:set(token_user, token_id, nil);
return nil, "not-authorized"; return nil, "not-authorized";
@ -87,12 +108,12 @@ local function _get_parsed_token_info(token_id, token_user, token_host)
end end
function get_token_info(token) function get_token_info(token)
local token_id, token_user, token_host = parse_token(token); local token_id, token_user, token_host, token_secret = parse_token(token);
if not token_id then if not token_id then
module:log("warn", "Failed to verify access token: %s", token_user); module:log("warn", "Failed to verify access token: %s", token_user);
return nil, "invalid-token-format"; return nil, "invalid-token-format";
end end
return _get_parsed_token_info(token_id, token_user, token_host); return _get_validated_token_info(token_id, token_user, token_host, token_secret);
end end
function get_token_session(token, resource) function get_token_session(token, resource)
@ -102,7 +123,7 @@ function get_token_session(token, resource)
return nil, "invalid-token-format"; return nil, "invalid-token-format";
end end
local token_info, err = _get_parsed_token_info(token_id, token_user, token_host); local token_info, err = _get_validated_token_info(token_id, token_user, token_host);
if not token_info then return nil, err; end if not token_info then return nil, err; end
return { return {