prosody/plugins/mod_tokenauth.lua

local id = require "util.id";
local jid = require "util.jid";
local base64 = require "util.encodings".base64;
local usermanager = require "core.usermanager";
local generate_identifier = require "util.id".short;

local token_store = module:open_store("auth_tokens", "map");

local function select_role(username, host, role)
	if role then
		return prosody.hosts[host].authz.get_role_by_name(role);
	end
	return usermanager.get_user_role(username, host);
end

function create_jid_token(actor_jid, token_jid, token_role, token_ttl)
	token_jid = jid.prep(token_jid);
	if not actor_jid or token_jid ~= actor_jid and not jid.compare(token_jid, actor_jid) then
		return nil, "not-authorized";
	end

	local token_username, token_host, token_resource = jid.split(token_jid);

	if token_host ~= module.host then
		return nil, "invalid-host";
	end

	local token_info = {
		owner = actor_jid;
		created = os.time();
		expires = token_ttl and (os.time() + token_ttl) or nil;
		jid = token_jid;

		resource = token_resource;
		role = token_role;
	};

	local token_id = id.long();
	local token = base64.encode("1;"..jid.join(token_username, token_host)..";"..token_id);
	token_store:set(token_username, token_id, token_info);

	return token, token_info;
end

local function parse_token(encoded_token)
	local token = base64.decode(encoded_token);
	if not token then return nil; end
	local token_jid, token_id = token:match("^1;([^;]+);(.+)$");
	if not token_jid then return nil; end
	local token_user, token_host = jid.split(token_jid);
	return token_id, token_user, token_host;
end

local function _get_parsed_token_info(token_id, token_user, token_host)
	if token_host ~= module.host then
		return nil, "invalid-host";
	end

	local token_info, err = token_store:get(token_user, token_id);
	if not token_info then
		if err then
			return nil, "internal-error";
		end
		return nil, "not-authorized";
	end

	if token_info.expires and token_info.expires < os.time() then
		return nil, "not-authorized";
	end

	return token_info
end

function get_token_info(token)
	local token_id, token_user, token_host = parse_token(token);
	if not token_id then
		return nil, "invalid-token-format";
	end
	return _get_parsed_token_info(token_id, token_user, token_host);
end

function get_token_session(token, resource)
	local token_id, token_user, token_host = parse_token(token);
	if not token_id then
		return nil, "invalid-token-format";
	end

	local token_info, err = _get_parsed_token_info(token_id, token_user, token_host);
	if not token_info then return nil, err; end

	return {
		username = token_user;
		host = token_host;
		resource = token_info.resource or resource or generate_identifier();

		role = select_role(token_user, token_host, token_info.role);
	};
end


function revoke_token(token)
	local token_id, token_user, token_host = parse_token(token);
	if not token_id then
		return nil, "invalid-token-format";
	end
	if token_host ~= module.host then
		return nil, "invalid-host";
	end
	return token_store:set(token_user, token_id, nil);
end
mod_authtokens: New module for managing auth tokens 6 years ago			`local id = require "util.id";`
			`local jid = require "util.jid";`
			`local base64 = require "util.encodings".base64;`
mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are). 4 years ago			`local usermanager = require "core.usermanager";`
			`local generate_identifier = require "util.id".short;`
mod_authtokens: New module for managing auth tokens 6 years ago
			`local token_store = module:open_store("auth_tokens", "map");`

mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are). 4 years ago			`local function select_role(username, host, role)`
			`if role then`
			`return prosody.hosts[host].authz.get_role_by_name(role);`
			`end`
mod_authz_internal, and more: New iteration of role API These changes to the API (hopefully the last) introduce a cleaner separation between the user's primary (default) role, and their secondary (optional) roles. To keep the code sane and reduce complexity, a data migration is needed for people using stored roles in 0.12. This can be performed with prosodyctl mod_authz_internal migrate <host> 3 years ago			`return usermanager.get_user_role(username, host);`
mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are). 4 years ago			`end`

			`function create_jid_token(actor_jid, token_jid, token_role, token_ttl)`
mod_authtokens: New module for managing auth tokens 6 years ago			`token_jid = jid.prep(token_jid);`
			`if not actor_jid or token_jid ~= actor_jid and not jid.compare(token_jid, actor_jid) then`
			`return nil, "not-authorized";`
			`end`

			`local token_username, token_host, token_resource = jid.split(token_jid);`

			`if token_host ~= module.host then`
			`return nil, "invalid-host";`
			`end`

			`local token_info = {`
			`owner = actor_jid;`
mod_tokenauth: Track creation time of tokens 6 years ago			`created = os.time();`
mod_authtokens: New module for managing auth tokens 6 years ago			`expires = token_ttl and (os.time() + token_ttl) or nil;`
			`jid = token_jid;`

mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are). 4 years ago			`resource = token_resource;`
			`role = token_role;`
mod_authtokens: New module for managing auth tokens 6 years ago			`};`

			`local token_id = id.long();`
mod_tokenauth: Handle tokens issued to bare hosts (eg components) 6 years ago			`local token = base64.encode("1;"..jid.join(token_username, token_host)..";"..token_id);`
mod_authtokens: New module for managing auth tokens 6 years ago			`token_store:set(token_username, token_id, token_info);`

			`return token, token_info;`
			`end`

			`local function parse_token(encoded_token)`
			`local token = base64.decode(encoded_token);`
			`if not token then return nil; end`
			`local token_jid, token_id = token:match("^1;([^;]+);(.+)$");`
			`if not token_jid then return nil; end`
			`local token_user, token_host = jid.split(token_jid);`
			`return token_id, token_user, token_host;`
			`end`

mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are). 4 years ago			`local function _get_parsed_token_info(token_id, token_user, token_host)`
mod_authtokens: New module for managing auth tokens 6 years ago			`if token_host ~= module.host then`
			`return nil, "invalid-host";`
			`end`

			`local token_info, err = token_store:get(token_user, token_id);`
			`if not token_info then`
			`if err then`
			`return nil, "internal-error";`
			`end`
			`return nil, "not-authorized";`
			`end`

			`if token_info.expires and token_info.expires < os.time() then`
			`return nil, "not-authorized";`
			`end`

			`return token_info`
			`end`

mod_tokenauth: New API that better fits how modules are using token auth This also updates the module to the new role API, and improves support for scope/role selection (currently treated as the same thing, which they almost are). 4 years ago			`function get_token_info(token)`
			`local token_id, token_user, token_host = parse_token(token);`
			`if not token_id then`
			`return nil, "invalid-token-format";`
			`end`
			`return _get_parsed_token_info(token_id, token_user, token_host);`
			`end`

			`function get_token_session(token, resource)`
			`local token_id, token_user, token_host = parse_token(token);`
			`if not token_id then`
			`return nil, "invalid-token-format";`
			`end`

			`local token_info, err = _get_parsed_token_info(token_id, token_user, token_host);`
			`if not token_info then return nil, err; end`

			`return {`
			`username = token_user;`
			`host = token_host;`
			`resource = token_info.resource or resource or generate_identifier();`

			`role = select_role(token_user, token_host, token_info.role);`
			`};`
			`end`


mod_authtokens: New module for managing auth tokens 6 years ago			`function revoke_token(token)`
			`local token_id, token_user, token_host = parse_token(token);`
			`if not token_id then`
			`return nil, "invalid-token-format";`
			`end`
			`if token_host ~= module.host then`
			`return nil, "invalid-host";`
			`end`
			`return token_store:set(token_user, token_id, nil);`
			`end`