prosody/plugins/mod_auth_internal_plain.lua

-- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--

local usermanager = require "prosody.core.usermanager";
local new_sasl = require "prosody.util.sasl".new;
local saslprep = require "prosody.util.encodings".stringprep.saslprep;
local secure_equals = require "prosody.util.hashes".equals;

local log = module._log;
local host = module.host;

local accounts = module:open_store("accounts");

-- define auth provider
local provider = {};

function provider.test_password(username, password)
	log("debug", "test password for user '%s'", username);
	local credentials = accounts:get(username) or {};
	if credentials.disabled then
		return nil, "Account disabled.";
	end
	password = saslprep(password);
	if not password then
		return nil, "Password fails SASLprep.";
	end

	if secure_equals(password, saslprep(credentials.password)) then
		return true;
	else
		return nil, "Auth failed. Invalid username or password.";
	end
end

function provider.get_password(username)
	log("debug", "get_password for username '%s'", username);
	return (accounts:get(username) or {}).password;
end

function provider.set_password(username, password)
	log("debug", "set_password for username '%s'", username);
	password = saslprep(password);
	if not password then
		return nil, "Password fails SASLprep.";
	end
	local account = accounts:get(username);
	if account then
		account.password = password;
		account.updated = os.time();
		return accounts:set(username, account);
	end
	return nil, "Account not available.";
end

function provider.get_account_info(username)
	local account = accounts:get(username);
	if not account then return nil, "Account not available"; end
	return {
		created = account.created;
		password_updated = account.updated;
	};
end

function provider.user_exists(username)
	local account = accounts:get(username);
	if not account then
		log("debug", "account not found for username '%s'", username);
		return nil, "Auth failed. Invalid username";
	end
	return true;
end

function provider.users()
	return accounts:users();
end

function provider.create_user(username, password)
	local now = os.time();
	if password == nil then
		return accounts:set(username, { created = now, updated = now, disabled = true });
	end
	password = saslprep(password);
	if not password then
		return nil, "Password fails SASLprep.";
	end
	return accounts:set(username, {
		password = password;
		created = now, updated = now;
	});
end

function provider.delete_user(username)
	return accounts:set(username, nil);
end

function provider.get_sasl_handler()
	local getpass_authentication_profile = {
		plain = function(_, username, realm)
			local password = usermanager.get_password(username, realm);
			if not password then
				return "", nil;
			end
			return password, true;
		end
	};
	return new_sasl(host, getpass_authentication_profile);
end

module:provides("auth", provider);
Added mod_auth_default 16 years ago			`-- Prosody IM`
			`-- Copyright (C) 2008-2010 Matthew Wild`
			`-- Copyright (C) 2008-2010 Waqas Hussain`
			`--`
			`-- This project is MIT/X11 licensed. Please see the`
			`-- COPYING file in the source package for more information.`
			`--`

plugins: Prefix module imports with prosody namespace 3 years ago			`local usermanager = require "prosody.core.usermanager";`
			`local new_sasl = require "prosody.util.sasl".new;`
			`local saslprep = require "prosody.util.encodings".stringprep.saslprep;`
			`local secure_equals = require "prosody.util.hashes".equals;`
Added mod_auth_default 16 years ago
mod_auth_internal_plain: Remove unused imports 14 years ago			`local log = module._log;`
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`local host = module.host;`
Added mod_auth_default 16 years ago
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store() 13 years ago			`local accounts = module:open_store("accounts");`

mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`-- define auth provider`
mod_auth_*: Use module:provides(). 13 years ago			`local provider = {};`
Working defaultauth 16 years ago
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`function provider.test_password(username, password)`
mod_auth_internal_plain: Remove redundant hostname from log messages 13 years ago			`log("debug", "test password for user '%s'", username);`
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store() 13 years ago			`local credentials = accounts:get(username) or {};`
mod_auth_internal_{hashed,plain}: Respect flag for disabled accounts in test_password() This API method is used e.g. in HTTP modules which also should respect disabled accounts. 1 year ago			`if credentials.disabled then`
			`return nil, "Account disabled.";`
			`end`
mod_auth_internal_*: Apply saslprep to passwords Related to #1560 6 years ago			`password = saslprep(password);`
			`if not password then`
			`return nil, "Password fails SASLprep.";`
			`end`
Added mod_auth_default 16 years ago
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets 5 years ago			`if secure_equals(password, saslprep(credentials.password)) then`
Added mod_auth_default 16 years ago			`return true;`
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`else`
			`return nil, "Auth failed. Invalid username or password.";`
Added mod_auth_default 16 years ago			`end`
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`end`
Added mod_auth_default 16 years ago
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`function provider.get_password(username)`
mod_auth_internal_plain: Remove redundant hostname from log messages 13 years ago			`log("debug", "get_password for username '%s'", username);`
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store() 13 years ago			`return (accounts:get(username) or {}).password;`
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`end`

			`function provider.set_password(username, password)`
mod_auth_internal_plain: Log a debug message when changing password to be consistent with the other methods 13 years ago			`log("debug", "set_password for username '%s'", username);`
mod_auth_internal_*: Apply saslprep to passwords Related to #1560 6 years ago			`password = saslprep(password);`
			`if not password then`
			`return nil, "Password fails SASLprep.";`
			`end`
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store() 13 years ago			`local account = accounts:get(username);`
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`if account then`
			`account.password = password;`
usermanager, mod_auth_*: Add get_account_info() returning creation/update time This is useful for a number of things. For example, listing users that need to rotate their passwords after some event. It also provides a safer way for code to determine that a user password has changed without needing to set a handler for the password change event (which is a more fragile approach). 4 years ago			`account.updated = os.time();`
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store() 13 years ago			`return accounts:set(username, account);`
mod_auth_internal_*: Support for delete_user method 15 years ago			`end`
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`return nil, "Account not available.";`
			`end`
Added mod_auth_default 16 years ago
usermanager, mod_auth_*: Add get_account_info() returning creation/update time This is useful for a number of things. For example, listing users that need to rotate their passwords after some event. It also provides a safer way for code to determine that a user password has changed without needing to set a handler for the password change event (which is a more fragile approach). 4 years ago			`function provider.get_account_info(username)`
			`local account = accounts:get(username);`
			`if not account then return nil, "Account not available"; end`
			`return {`
			`created = account.created;`
			`password_updated = account.updated;`
			`};`
			`end`

mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`function provider.user_exists(username)`
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store() 13 years ago			`local account = accounts:get(username);`
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`if not account then`
mod_auth_internal_plain: Remove redundant hostname from log messages 13 years ago			`log("debug", "account not found for username '%s'", username);`
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`return nil, "Auth failed. Invalid username";`
Added mod_auth_default 16 years ago			`end`
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`return true;`
Added mod_auth_default 16 years ago			`end`

mod_auth_internal_{plain,hashed}: Add support for iterating over accounts 13 years ago			`function provider.users()`
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store() 13 years ago			`return accounts:users();`
mod_auth_internal_{plain,hashed}: Add support for iterating over accounts 13 years ago			`end`

mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`function provider.create_user(username, password)`
mod_auth_internal_plain: Fix user creation done via mod_admin_shell Following the new behavior in auth_internal_hashed (c8f59ce7d3cf), the account will be created and disabled, instead of returning an error telling password being nil when calling saslprep(). Note that mod_auth_internal_plain does not have full support for enabled/disabled accounts, but that may be fixed in subsequent commits. 3 years ago			`local now = os.time();`
			`if password == nil then`
			`return accounts:set(username, { created = now, updated = now, disabled = true });`
			`end`
mod_auth_internal_*: Apply saslprep to passwords Related to #1560 6 years ago			`password = saslprep(password);`
			`if not password then`
			`return nil, "Password fails SASLprep.";`
			`end`
usermanager, mod_auth_*: Add get_account_info() returning creation/update time This is useful for a number of things. For example, listing users that need to rotate their passwords after some event. It also provides a safer way for code to determine that a user password has changed without needing to set a handler for the password change event (which is a more fragile approach). 4 years ago			`return accounts:set(username, {`
			`password = password;`
			`created = now, updated = now;`
			`});`
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`end`

			`function provider.delete_user(username)`
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store() 13 years ago			`return accounts:set(username, nil);`
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`end`

			`function provider.get_sasl_handler()`
			`local getpass_authentication_profile = {`
mod_auth_internal_plain: Rename unused self argument [luacheck] 9 years ago			`plain = function(_, username, realm)`
mod_auth_internal_plain, mod_auth_internal_hashed: No need to nodeprep here. 13 years ago			`local password = usermanager.get_password(username, realm);`
mod_auth_{internal_plain,cyrus,anonymous}: Get rid of useless wrapper function new_default_provider. 13 years ago			`if not password then`
			`return "", nil;`
			`end`
			`return password, true;`
			`end`
			`};`
			`return new_sasl(host, getpass_authentication_profile);`
			`end`
Remove all trailing whitespace 13 years ago
mod_auth_*: Use module:provides(). 13 years ago			`module:provides("auth", provider);`
Added mod_auth_default 16 years ago