apitech
/
prosody
mirror of https://github.com/bjc/prosody
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
IMPORTANT: due to a drive failure, as of 13-Mar-2021, the Mercurial repository had to be re-mirrored, which changed every commit SHA. The old SHAs and trees are backed up in the vault branches. Please migrate to the new branches as soon as you can.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13887 Commits
12 Branches
101 Tags
54 MiB
Tag: Branch: Tree: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
prosody/plugins/mod_tokenauth.lua

355 lines
11 KiB
Raw Permalink Normal View History Unescape

plugins: Prefix module imports with prosody namespace
3 years ago
local base64 = require "prosody.util.encodings".base64;
local hashes = require "prosody.util.hashes";
local id = require "prosody.util.id";
local jid = require "prosody.util.jid";
local random = require "prosody.util.random";
local usermanager = require "prosody.core.usermanager";
local generate_identifier = require "prosody.util.id".short;
mod_authtokens: New module for managing auth tokens
6 years ago
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local token_store = module:open_store("auth_tokens", "keyval+");
mod_authtokens: New module for managing auth tokens
6 years ago
plugins: Switch to :get_option_period() for time range options Improves readability ("1 day" vs 86400) and centralizes validation.
2 years ago
local access_time_granularity = module:get_option_period("token_auth_access_time_granularity", 60);
mod_tokenauth: Delete grants without tokens after period Generally it is expected that a grant would have at least one token as long as the grant is in active use. Refresh tokens issued by mod_http_oauth2 have a lifetime of one week by default, so the idea here is that if that refresh token expired and another week goes by without the grant being used, then the whole grant can be removed.
2 years ago
local empty_grant_lifetime = module:get_option_period("tokenless_grant_ttl", "2w");
mod_tokenauth: Track last access time (last time a token was used)
3 years ago
mod_tokenauth: Support selection of _no_ role at all If a grant does not have a role, we should not go and make one up. While not very useful for XMPP if you can't even login, it may be useful for OAuth2/OIDC.
3 years ago
local function select_role(username, host, role_name)
if not role_name then return end
local role = usermanager.get_role_by_name(role_name, host);
if not role then return end
if not usermanager.user_can_assume_role(username, host, role.name) then return end
return role;
mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
3 years ago
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
function create_grant(actor_jid, grant_jid, grant_ttl, grant_data)
grant_jid = jid.prep(grant_jid);
if not actor_jid or actor_jid ~= grant_jid and not jid.compare(grant_jid, actor_jid) then
module:log("debug", "Actor <%s> is not permitted to create a token granting access to JID <%s>", actor_jid, grant_jid);
mod_authtokens: New module for managing auth tokens
6 years ago
return nil, "not-authorized";
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local grant_username, grant_host, grant_resource = jid.split(grant_jid);
mod_authtokens: New module for managing auth tokens
6 years ago
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
if grant_host ~= module.host then
mod_authtokens: New module for managing auth tokens
6 years ago
return nil, "invalid-host";
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local grant_id = id.short();
mod_tokenauth: Track last access time (last time a token was used)
3 years ago
local now = os.time();
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local grant = {
id = grant_id;
mod_tokenauth: Switch to new token format (invalidates existing tokens!) The new format has the following properties: - 5 bytes longer than the previous format - The token now has separate 'id' and 'secret' parts - the token itself is no longer stored in the DB, and the secret part is hashed - The only variable length field (JID) has been moved to the end - The 'secret-token:' prefix (RFC 8959) is now included Compatibility with the old token format was not maintained, and all previously issued tokens are invalid after this commit (they will be removed from the DB if used).
3 years ago
mod_authtokens: New module for managing auth tokens
6 years ago
owner = actor_jid;
mod_tokenauth: Track last access time (last time a token was used)
3 years ago
created = now;
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
expires = grant_ttl and (now + grant_ttl) or nil;
mod_tokenauth: Track last access time (last time a token was used)
3 years ago
accessed = now;
mod_authtokens: New module for managing auth tokens
6 years ago
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
jid = grant_jid;
resource = grant_resource;
data = grant_data;
-- tokens[<hash-name>..":"..<secret>] = token_info
tokens = {};
mod_authtokens: New module for managing auth tokens
6 years ago
};
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local ok, err = token_store:set_key(grant_username, grant_id, grant);
mod_tokenauth: return error if storage of new token fails
3 years ago
if not ok then
return nil, err;
end
mod_authtokens: New module for managing auth tokens
6 years ago
mod_tokenauth: Fire events on grant creation and revocation
3 years ago
module:fire_event("token-grant-created", {
id = grant_id;
grant = grant;
username = grant_username;
host = grant_host;
});
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
return grant;
mod_authtokens: New module for managing auth tokens
6 years ago
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
function create_token(grant_jid, grant, token_role, token_ttl, token_purpose, token_data)
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
if (token_data and type(token_data) ~= "table") or (token_purpose and type(token_purpose) ~= "string") then
return nil, "bad-request";
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local grant_username, grant_host = jid.split(grant_jid);
if grant_host ~= module.host then
return nil, "invalid-host";
end
if type(grant) == "string" then -- lookup by id
grant = token_store:get_key(grant_username, grant);
if not grant then return nil; end
end
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
if not grant.tokens then return nil, "internal-server-error"; end -- old-style token?
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
local now = os.time();
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local expires = grant.expires; -- Default to same expiry as grant
if token_ttl then -- explicit lifetime requested
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
if expires then
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
-- Grant has an expiry, so limit to that or shorter
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
expires = math.min(now + token_ttl, expires);
else
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
-- Grant never expires, just use whatever expiry is requested for the token
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
expires = now + token_ttl;
end
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local token_info = {
role = token_role;
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
created = now;
expires = expires;
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
purpose = token_purpose;
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
data = token_data;
};
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local token_secret = random.bytes(18);
grant.tokens["sha256:"..hashes.sha256(token_secret, true)] = token_info;
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local ok, err = token_store:set_key(grant_username, grant.id, grant);
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
if not ok then
return nil, err;
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local token_string = "secret-token:"..base64.encode("2;"..grant.id..";"..token_secret..";"..grant.jid);
return token_string, token_info;
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
end
mod_authtokens: New module for managing auth tokens
6 years ago
local function parse_token(encoded_token)
mod_tokenauth: Gracefully handle missing tokens
3 years ago
if not encoded_token then return nil; end
mod_tokenauth: Switch to new token format (invalidates existing tokens!) The new format has the following properties: - 5 bytes longer than the previous format - The token now has separate 'id' and 'secret' parts - the token itself is no longer stored in the DB, and the secret part is hashed - The only variable length field (JID) has been moved to the end - The 'secret-token:' prefix (RFC 8959) is now included Compatibility with the old token format was not maintained, and all previously issued tokens are invalid after this commit (they will be removed from the DB if used).
3 years ago
local encoded_data = encoded_token:match("^secret%-token:(.+)$");
if not encoded_data then return nil; end
local token = base64.decode(encoded_data);
mod_authtokens: New module for managing auth tokens
6 years ago
if not token then return nil; end
mod_tokenauth: Fix parsing binary part of tokens Fixes parsing of tokens that happen to have a `;` in their secret part, otherwise it splits there and the later bit goes into the username and hitting the "Invalid token in storage" condition.
3 years ago
local token_id, token_secret, token_jid = token:match("^2;([^;]+);(..................);(.+)$");
mod_tokenauth: Switch to new token format (invalidates existing tokens!) The new format has the following properties: - 5 bytes longer than the previous format - The token now has separate 'id' and 'secret' parts - the token itself is no longer stored in the DB, and the secret part is hashed - The only variable length field (JID) has been moved to the end - The 'secret-token:' prefix (RFC 8959) is now included Compatibility with the old token format was not maintained, and all previously issued tokens are invalid after this commit (they will be removed from the DB if used).
3 years ago
if not token_id then return nil; end
mod_authtokens: New module for managing auth tokens
6 years ago
local token_user, token_host = jid.split(token_jid);
mod_tokenauth: Switch to new token format (invalidates existing tokens!) The new format has the following properties: - 5 bytes longer than the previous format - The token now has separate 'id' and 'secret' parts - the token itself is no longer stored in the DB, and the secret part is hashed - The only variable length field (JID) has been moved to the end - The 'secret-token:' prefix (RFC 8959) is now included Compatibility with the old token format was not maintained, and all previously issued tokens are invalid after this commit (they will be removed from the DB if used).
3 years ago
return token_id, token_user, token_host, token_secret;
mod_authtokens: New module for managing auth tokens
6 years ago
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local function clear_expired_grant_tokens(grant, now)
local updated;
now = now or os.time();
for secret, token_info in pairs(grant.tokens) do
mod_tokenauth: Fix traceback when checking expiry of tokens with no expiry
3 years ago
local expires = token_info.expires;
mod_tokenauth: Fix expiry lasting one second too much Because the code was using `< now` in a lot of places, things expiring at the current second wouldn't be marked as expired. It isn't noticeable in real-world scenarios but I wanted to create OAuth 2.0 tokens valid for 0 second in integration tests and it wasn't possible. By using `<=` instead of `<`, we make sure tokens don't live a single millisecond more than what they are supposed to.
11 months ago
if expires and expires <= now then
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
grant.tokens[secret] = nil;
updated = true;
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
end
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
return updated;
mod_tokenauth: Support for creating sub-tokens Properties of sub-tokens: - They share the same id as their parent token - Sub-tokens may not have their own sub-tokens (but may have sibling tokens) - They always have the same or shorter lifetime compared to their parent token - Revoking a parent token revokes all sub-tokens - Sub-tokens always have the same JID as the parent token - They do not have their own 'accessed' property - accessing a sub-token updates the parent token's accessed time Although this is a generic API, it is designed to at least fill the needs of OAuth2 refresh + access tokens (where the parent token is the refresh token and the sub-tokens are access tokens).
3 years ago
end
mod_tokenauth: Move grant validation to a reusable function
3 years ago
local function _get_validated_grant_info(username, grant)
if type(grant) == "string" then
grant = token_store:get_key(username, grant);
end
mod_tokenauth: Ignore invalid grants in storage that have no id
2 years ago
if not grant or not grant.created or not grant.id then return nil; end
mod_tokenauth: Move grant validation to a reusable function
3 years ago
-- Invalidate grants from before last password change
local account_info = usermanager.get_account_info(username, module.host);
local password_updated_at = account_info and account_info.password_updated;
mod_tokenauth: Clear expired tokens on grant retrieval
2 years ago
local now = os.time();
mod_tokenauth: Move grant validation to a reusable function
3 years ago
if password_updated_at and grant.created < password_updated_at then
mod_tokenauth: Include more details in debug logs Had a hard time following what was happening when it did not specify which grant or token was being removed.
2 years ago
module:log("debug", "Token grant %s of %s issued before last password change, invalidating it now", grant.id, username);
mod_tokenauth: Move grant validation to a reusable function
3 years ago
token_store:set_key(username, grant.id, nil);
return nil, "not-authorized";
mod_tokenauth: Fix expiry lasting one second too much Because the code was using `< now` in a lot of places, things expiring at the current second wouldn't be marked as expired. It isn't noticeable in real-world scenarios but I wanted to create OAuth 2.0 tokens valid for 0 second in integration tests and it wasn't possible. By using `<=` instead of `<`, we make sure tokens don't live a single millisecond more than what they are supposed to.
11 months ago
elseif grant.expires and grant.expires <= now then
mod_tokenauth: Include more details in debug logs Had a hard time following what was happening when it did not specify which grant or token was being removed.
2 years ago
module:log("debug", "Token grant %s of %s expired, cleaning up", grant.id, username);
mod_tokenauth: Move grant validation to a reusable function
3 years ago
token_store:set_key(username, grant.id, nil);
return nil, "expired";
end
mod_tokenauth: Delete grants in the wrong formats on retrieval
2 years ago
if not grant.tokens then
mod_tokenauth: Include more details in debug logs Had a hard time following what was happening when it did not specify which grant or token was being removed.
2 years ago
module:log("debug", "Token grant %s of %s without tokens, cleaning up", grant.id, username);
mod_tokenauth: Delete grants in the wrong formats on retrieval
2 years ago
token_store:set_key(username, grant.id, nil);
return nil, "invalid";
end
mod_tokenauth: Fix saving grants after clearing expired tokens Previously the whole grant was deleted if it found one expired toke, which was not indented.
2 years ago
local found_expired = false
mod_tokenauth: Clear expired tokens on grant retrieval
2 years ago
for secret_hash, token_info in pairs(grant.tokens) do
mod_tokenauth: Fix expiry lasting one second too much Because the code was using `< now` in a lot of places, things expiring at the current second wouldn't be marked as expired. It isn't noticeable in real-world scenarios but I wanted to create OAuth 2.0 tokens valid for 0 second in integration tests and it wasn't possible. By using `<=` instead of `<`, we make sure tokens don't live a single millisecond more than what they are supposed to.
11 months ago
if token_info.expires and token_info.expires <= now then
mod_tokenauth: Include more details in debug logs Had a hard time following what was happening when it did not specify which grant or token was being removed.
2 years ago
module:log("debug", "Token %s of grant %s of %s has expired, cleaning it up", secret_hash:sub(-8), grant.id, username);
mod_tokenauth: Clear expired tokens on grant retrieval
2 years ago
grant.tokens[secret_hash] = nil;
mod_tokenauth: Save grant after removing expired tokens Ensures the periodic cleanup really does remove expired tokens.
2 years ago
found_expired = true;
end
mod_tokenauth: Clear expired tokens on grant retrieval
2 years ago
end
mod_tokenauth: Delete grants without tokens after period Generally it is expected that a grant would have at least one token as long as the grant is in active use. Refresh tokens issued by mod_http_oauth2 have a lifetime of one week by default, so the idea here is that if that refresh token expired and another week goes by without the grant being used, then the whole grant can be removed.
2 years ago
mod_tokenauth: Fix expiry lasting one second too much Because the code was using `< now` in a lot of places, things expiring at the current second wouldn't be marked as expired. It isn't noticeable in real-world scenarios but I wanted to create OAuth 2.0 tokens valid for 0 second in integration tests and it wasn't possible. By using `<=` instead of `<`, we make sure tokens don't live a single millisecond more than what they are supposed to.
11 months ago
if not grant.expires and next(grant.tokens) == nil and grant.accessed + empty_grant_lifetime <= now then
mod_tokenauth: Include more details in debug logs Had a hard time following what was happening when it did not specify which grant or token was being removed.
2 years ago
module:log("debug", "Token %s of %s grant has no tokens, discarding", grant.id, username);
mod_tokenauth: Delete grants without tokens after period Generally it is expected that a grant would have at least one token as long as the grant is in active use. Refresh tokens issued by mod_http_oauth2 have a lifetime of one week by default, so the idea here is that if that refresh token expired and another week goes by without the grant being used, then the whole grant can be removed.
2 years ago
token_store:set_key(username, grant.id, nil);
return nil, "expired";
mod_tokenauth: Fix saving grants after clearing expired tokens Previously the whole grant was deleted if it found one expired toke, which was not indented.
2 years ago
elseif found_expired then
token_store:set_key(username, grant.id, grant);
mod_tokenauth: Delete grants without tokens after period Generally it is expected that a grant would have at least one token as long as the grant is in active use. Refresh tokens issued by mod_http_oauth2 have a lifetime of one week by default, so the idea here is that if that refresh token expired and another week goes by without the grant being used, then the whole grant can be removed.
2 years ago
end
mod_tokenauth: Move grant validation to a reusable function
3 years ago
return grant;
end
mod_tokenauth: Switch to new token format (invalidates existing tokens!) The new format has the following properties: - 5 bytes longer than the previous format - The token now has separate 'id' and 'secret' parts - the token itself is no longer stored in the DB, and the secret part is hashed - The only variable length field (JID) has been moved to the end - The 'secret-token:' prefix (RFC 8959) is now included Compatibility with the old token format was not maintained, and all previously issued tokens are invalid after this commit (they will be removed from the DB if used).
3 years ago
local function _get_validated_token_info(token_id, token_user, token_host, token_secret)
mod_authtokens: New module for managing auth tokens
6 years ago
if token_host ~= module.host then
return nil, "invalid-host";
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local grant, err = token_store:get_key(token_user, token_id);
if not grant or not grant.tokens then
mod_authtokens: New module for managing auth tokens
6 years ago
if err then
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
module:log("error", "Unable to read from token storage: %s", err);
mod_authtokens: New module for managing auth tokens
6 years ago
return nil, "internal-error";
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
module:log("warn", "Invalid token in storage (%s / %s)", token_user, token_id);
mod_tokenauth: Switch to new token format (invalidates existing tokens!) The new format has the following properties: - 5 bytes longer than the previous format - The token now has separate 'id' and 'secret' parts - the token itself is no longer stored in the DB, and the secret part is hashed - The only variable length field (JID) has been moved to the end - The 'secret-token:' prefix (RFC 8959) is now included Compatibility with the old token format was not maintained, and all previously issued tokens are invalid after this commit (they will be removed from the DB if used).
3 years ago
return nil, "not-authorized";
mod_authtokens: New module for managing auth tokens
6 years ago
end
mod_tokenauth: Switch to new token format (invalidates existing tokens!) The new format has the following properties: - 5 bytes longer than the previous format - The token now has separate 'id' and 'secret' parts - the token itself is no longer stored in the DB, and the secret part is hashed - The only variable length field (JID) has been moved to the end - The 'secret-token:' prefix (RFC 8959) is now included Compatibility with the old token format was not maintained, and all previously issued tokens are invalid after this commit (they will be removed from the DB if used).
3 years ago
-- Check provided secret
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local secret_hash = "sha256:"..hashes.sha256(token_secret, true);
local token_info = grant.tokens[secret_hash];
if not token_info then
module:log("debug", "No tokens matched the given secret");
return nil, "not-authorized";
end
-- Check expiry
local now = os.time();
mod_tokenauth: Fix expiry lasting one second too much Because the code was using `< now` in a lot of places, things expiring at the current second wouldn't be marked as expired. It isn't noticeable in real-world scenarios but I wanted to create OAuth 2.0 tokens valid for 0 second in integration tests and it wasn't possible. By using `<=` instead of `<`, we make sure tokens don't live a single millisecond more than what they are supposed to.
11 months ago
if token_info.expires and token_info.expires <= now then
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
module:log("debug", "Token has expired, cleaning it up");
grant.tokens[secret_hash] = nil;
token_store:set_key(token_user, token_id, grant);
mod_tokenauth: Invalidate tokens issued before most recent password change This is a security improvement, to ensure that sessions authenticated using a token (note: not currently possible in stock Prosody) are invalidated just like password-authenticated sessions are.
3 years ago
return nil, "not-authorized";
end
mod_tokenauth: Move grant validation to a reusable function
3 years ago
-- Verify grant validity (expiry, etc.)
grant = _get_validated_grant_info(token_user, grant);
if not grant then
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
return nil, "not-authorized";
end
-- Update last access time if necessary
local last_accessed = grant.accessed;
if not last_accessed or (now - last_accessed) > access_time_granularity then
grant.accessed = now;
clear_expired_grant_tokens(grant); -- Clear expired tokens while we're here
token_store:set_key(token_user, token_id, grant);
end
mod_tokenauth: Track last access time (last time a token was used)
3 years ago
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
token_info.id = token_id;
token_info.grant = grant;
token_info.jid = grant.jid;
return token_info;
mod_authtokens: New module for managing auth tokens
6 years ago
end
mod_tokenauth: Add API to inspect individual grants or all of a user's grants
3 years ago
function get_grant_info(username, grant_id)
local grant = _get_validated_grant_info(username, grant_id);
if not grant then return nil; end
-- Caller is only interested in the grant, no need to expose token stuff to them
grant.tokens = nil;
return grant;
end
function get_user_grants(username)
local grants = token_store:get(username);
if not grants then return nil; end
for grant_id, grant in pairs(grants) do
grants[grant_id] = _get_validated_grant_info(username, grant);
end
return grants;
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
3 years ago
function get_token_info(token)
mod_tokenauth: Switch to new token format (invalidates existing tokens!) The new format has the following properties: - 5 bytes longer than the previous format - The token now has separate 'id' and 'secret' parts - the token itself is no longer stored in the DB, and the secret part is hashed - The only variable length field (JID) has been moved to the end - The 'secret-token:' prefix (RFC 8959) is now included Compatibility with the old token format was not maintained, and all previously issued tokens are invalid after this commit (they will be removed from the DB if used).
3 years ago
local token_id, token_user, token_host, token_secret = parse_token(token);
mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
3 years ago
if not token_id then
mod_tokenauth: Log error when token validation fails
3 years ago
module:log("warn", "Failed to verify access token: %s", token_user);
mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
3 years ago
return nil, "invalid-token-format";
end
mod_tokenauth: Switch to new token format (invalidates existing tokens!) The new format has the following properties: - 5 bytes longer than the previous format - The token now has separate 'id' and 'secret' parts - the token itself is no longer stored in the DB, and the secret part is hashed - The only variable length field (JID) has been moved to the end - The 'secret-token:' prefix (RFC 8959) is now included Compatibility with the old token format was not maintained, and all previously issued tokens are invalid after this commit (they will be removed from the DB if used).
3 years ago
return _get_validated_token_info(token_id, token_user, token_host, token_secret);
mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
3 years ago
end
function get_token_session(token, resource)
mod_tokenauth: Fix traceback in get_token_session() Errors in sha256 becasue `token_secret` is nil since it was not passed to _get_validated_token_info(). Looks like a simple oversight in ebe3b2f96cad
3 years ago
local token_id, token_user, token_host, token_secret = parse_token(token);
mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
3 years ago
if not token_id then
mod_tokenauth: Log error when token validation fails
3 years ago
module:log("warn", "Failed to verify access token: %s", token_user);
mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
3 years ago
return nil, "invalid-token-format";
end
mod_tokenauth: Fix traceback in get_token_session() Errors in sha256 becasue `token_secret` is nil since it was not passed to _get_validated_token_info(). Looks like a simple oversight in ebe3b2f96cad
3 years ago
local token_info, err = _get_validated_token_info(token_id, token_user, token_host, token_secret);
mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
3 years ago
if not token_info then return nil, err; end
mod_tokenauth: Return error instead of session for token without role Such a session triggers errors in module:may or other places since it is generally expected that a session must have a role.
3 years ago
local role = select_role(token_user, token_host, token_info.role);
if not role then return nil, "not-authorized"; end
mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
3 years ago
return {
username = token_user;
host = token_host;
resource = token_info.resource or resource or generate_identifier();
mod_tokenauth: Return error instead of session for token without role Such a session triggers errors in module:may or other places since it is generally expected that a session must have a role.
3 years ago
role = role;
mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are).
3 years ago
};
end
mod_authtokens: New module for managing auth tokens
6 years ago
function revoke_token(token)
mod_tokenauth: Fix revoking a single token without revoking whole grant This appears to have been a copy-paste of the grant revocation function, or maybe the other way around. Either way, it deleted the whole grant instead of the individual token as might be expected.
2 years ago
local grant_id, token_user, token_host, token_secret = parse_token(token);
if not grant_id then
mod_tokenauth: Log error when token validation fails
3 years ago
module:log("warn", "Failed to verify access token: %s", token_user);
mod_authtokens: New module for managing auth tokens
6 years ago
return nil, "invalid-token-format";
end
if token_host ~= module.host then
return nil, "invalid-host";
end
mod_tokenauth: Fix revoking a single token without revoking whole grant This appears to have been a copy-paste of the grant revocation function, or maybe the other way around. Either way, it deleted the whole grant instead of the individual token as might be expected.
2 years ago
local grant, err = _get_validated_grant_info(token_user, grant_id);
if not grant then return grant, err; end
local secret_hash = "sha256:"..hashes.sha256(token_secret, true);
local token_info = grant.tokens[secret_hash];
if not grant or not token_info then
return nil, "item-not-found";
end
grant.tokens[secret_hash] = nil;
local ok, err = token_store:set_key(token_user, grant_id, grant);
mod_tokenauth: Fire events on grant creation and revocation
3 years ago
if not ok then
return nil, err;
end
mod_tokenauth: Fix revoking a single token without revoking whole grant This appears to have been a copy-paste of the grant revocation function, or maybe the other way around. Either way, it deleted the whole grant instead of the individual token as might be expected.
2 years ago
module:fire_event("token-revoked", {
grant_id = grant_id;
grant = grant;
info = token_info;
username = token_user;
host = token_host;
});
mod_tokenauth: Fire events on grant creation and revocation
3 years ago
return true;
mod_authtokens: New module for managing auth tokens
6 years ago
end
mod_tokenauth: Add SASL handler backend that can accept and verify tokens This is designed for use by other modules that want to accept tokens issued by mod_tokenauth, without duplicating all the necessary logic.
3 years ago
mod_tokenauth: Add API method to revoke a grant by id We probably want to refactor revoke_token() to use this one in the future.
3 years ago
function revoke_grant(username, grant_id)
local ok, err = token_store:set_key(username, grant_id, nil);
if not ok then return nil, err; end
module:fire_event("token-grant-revoked", { id = grant_id, username = username, host = module.host });
return true;
end
mod_tokenauth: Add SASL handler backend that can accept and verify tokens This is designed for use by other modules that want to accept tokens issued by mod_tokenauth, without duplicating all the necessary logic.
3 years ago
function sasl_handler(auth_provider, purpose, extra)
util.sasl.oauthbearer: Return username from callback instead using authzid (BC) RFC 6120 states that > If the initiating entity does not wish to act on behalf of another > entity, it MUST NOT provide an authorization identity. Thus it seems weird to require it here. We can instead expect an username from the token data passed back from the profile. This follows the practice of util.sasl.external where the profile callback returns the selected username, making the authentication module responsible for extracting the username from the token.
3 years ago
return function (sasl, token, realm, _authzid)
mod_tokenauth: Add SASL handler backend that can accept and verify tokens This is designed for use by other modules that want to accept tokens issued by mod_tokenauth, without duplicating all the necessary logic.
3 years ago
local token_info, err = get_token_info(token);
if not token_info then
module:log("debug", "SASL handler failed to verify token: %s", err);
return nil, nil, extra;
end
mod_tokenauth: Refactor API to separate tokens and grants This is another iteration on top of the previous sub-tokens work. Essentially, the concept of a "parent token" has been replaced with the concept of a "grant" to which all tokens now belong. The grant does not have any tokens when first created, but the create_token() call can add them.
3 years ago
local token_user, token_host, resource = jid.split(token_info.grant.jid);
util.sasl.oauthbearer: Return username from callback instead using authzid (BC) RFC 6120 states that > If the initiating entity does not wish to act on behalf of another > entity, it MUST NOT provide an authorization identity. Thus it seems weird to require it here. We can instead expect an username from the token data passed back from the profile. This follows the practice of util.sasl.external where the profile callback returns the selected username, making the authentication module responsible for extracting the username from the token.
3 years ago
if realm ~= token_host or (purpose and token_info.purpose ~= purpose) then
mod_tokenauth: Add SASL handler backend that can accept and verify tokens This is designed for use by other modules that want to accept tokens issued by mod_tokenauth, without duplicating all the necessary logic.
3 years ago
return nil, nil, extra;
end
util.sasl.oauthbearer: Return username from callback instead using authzid (BC) RFC 6120 states that > If the initiating entity does not wish to act on behalf of another > entity, it MUST NOT provide an authorization identity. Thus it seems weird to require it here. We can instead expect an username from the token data passed back from the profile. This follows the practice of util.sasl.external where the profile callback returns the selected username, making the authentication module responsible for extracting the username from the token.
3 years ago
if auth_provider.is_enabled and not auth_provider.is_enabled(token_user) then
mod_tokenauth: Add SASL handler backend that can accept and verify tokens This is designed for use by other modules that want to accept tokens issued by mod_tokenauth, without duplicating all the necessary logic.
3 years ago
return true, false, token_info;
end
util.sasl.oauthbearer: Return username from callback instead using authzid (BC) RFC 6120 states that > If the initiating entity does not wish to act on behalf of another > entity, it MUST NOT provide an authorization identity. Thus it seems weird to require it here. We can instead expect an username from the token data passed back from the profile. This follows the practice of util.sasl.external where the profile callback returns the selected username, making the authentication module responsible for extracting the username from the token.
3 years ago
sasl.resource = resource;
sasl.token_info = token_info;
return token_user, true, token_info;
mod_tokenauth: Add SASL handler backend that can accept and verify tokens This is designed for use by other modules that want to accept tokens issued by mod_tokenauth, without duplicating all the necessary logic.
3 years ago
end;
end
mod_tokenauth: Periodically clear out expired tokens and grants This should ensure expired grants eventually disappear.
2 years ago
mod_tokenauth: Set name/description on cleanup job
2 years ago
module:daily("clear expired grants", function()
mod_tokenauth: Periodically clear out expired tokens and grants This should ensure expired grants eventually disappear.
2 years ago
for username in token_store:items() do
get_user_grants(username); -- clears out expired grants
end
end)