Moves token related code into util so it can be reused.

resources/prosody-plugins/mod_auth_token.lua

@@ -1,58 +1,27 @@
 -- Token authentication
 -- Copyright (C) 2015 Atlassian
 
-local basexx = require "basexx";
-local have_async, async = pcall(require, "util.async");
-local hex = require "util.hex";
 local formdecode = require "util.http".formdecode;
 local generate_uuid = require "util.uuid".generate;
-local http = require "net.http";
-local json = require "cjson";
 local new_sasl = require "util.sasl".new;
-local path = require "util.paths";
 local sasl = require "util.sasl";
-local sha256 = require "util.hashes".sha256;
-local timer = require "util.timer";
-local token_util = module:require "token/util";
+local token_util = module:require "token/util".new(module);
+
+-- no token configuration
+if token_util == nil then
+    return;
+end
 
 -- define auth provider
 local provider = {};
 
 local host = module.host;
 
-local appId = module:get_option_string("app_id");
-local appSecret = module:get_option_string("app_secret");
-local asapKeyServer = module:get_option_string("asap_key_server");
-local allowEmptyToken = module:get_option_boolean("allow_empty_token");
-local disableRoomNameConstraints = module:get_option_boolean("disable_room_name_constraints");
-
-local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);
-local cache = require"util.cache".new(cacheSize);
-
-if allowEmptyToken == true then
-	module:log("warn", "WARNING - empty tokens allowed");
-end
-
-if appId == nil then
-	module:log("error", "'app_id' must not be empty");
-	return;
-end
-
-if appSecret == nil and asapKeyServer == nil then
-	module:log("error", "'app_secret' or 'asap_key_server' must be specified");
-	return;
-end
-
-if asapKeyServer and not have_async then
-	module:log("error", "requires a version of Prosody with util.async");
-	return;
-end
-
 -- Extract 'token' param from BOSH URL when session is created
 module:hook("bosh-session", function(event)
 	local session, request = event.session, event.request;
 	local query = request.url.query;
+
 	if query ~= nil then
 		session.auth_token = query and formdecode(query).token or nil;
 	end
@@ -82,104 +51,12 @@ function provider.delete_user(username)
 	return nil;
 end
 
-local http_timeout = 30;
-local http_headers = {
-	["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"
-};
-
-function get_public_key(keyId)
-	local content = cache:get(keyId);
-	if content == nil then
-		-- If the key is not found in the cache.
-		module:log("debug", "Cache miss for key: "..keyId);
-		local code;
-		local wait, done = async.waiter();
-		local function cb(content_, code_, response_, request_)
-			content, code = content_, code_;
-			if code == 200 or code == 204 then
-				cache:set(keyId, content);
-			end
-			done();
-		end
-		local keyurl = path.join(asapKeyServer, hex.to(sha256(keyId))..'.pem');
-		module:log("debug", "Fetching public key from: "..keyurl);
-
-		-- We hash the key ID to work around some legacy behavior and make
-		-- deployment easier. It also helps prevent directory
-		-- traversal attacks (although path cleaning could have done this too).
-		local request = http.request(keyurl, {
-			headers = http_headers or {},
-			method = "GET"
-		}, cb);
-
-		-- TODO: Is the done() call racey? Can we cancel this if the request
-		--       succeedes?
-		local function cancel()
-			-- TODO: This check is racey. Not likely to be a problem, but we should
-			--       still stick a mutex on content / code at some point.
-			if code == nil then
-				http.destroy_request(request);
-				done();
-			end
-		end
-		timer.add_task(http_timeout, cancel);
-		wait();
-
-		if code == 200 or code == 204 then
-			return content;
-		end
-	else
-		-- If the key is in the cache, use it.
-		module:log("debug", "Cache hit for key: "..keyId);
-		return content;
-	end
-
-	return nil;
-end
-
 function provider.get_sasl_handler(session)
 	-- JWT token extracted from BOSH URL
 	local token = session.auth_token;
 
 	local function get_username_from_token(self, message)
-
-		if token == nil then
-			if allowEmptyToken then
-				return true;
-			else
-				return false, "not-allowed", "token required";
-			end
-		end
-
-		local pubKey;
-		if asapKeyServer and session.auth_token ~= nil then
-			local dotFirst = session.auth_token:find("%.");
-			if not dotFirst then return nil, "Invalid token" end
-			local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));
-			local kid = header["kid"];
-			if kid == nil then
-				return false, "not-allowed", "'kid' claim is missing";
-			end
-			pubKey = get_public_key(kid);
-			if pubKey == nil then
-				return false, "not-allowed", "could not obtain public key";
-			end
-		end
-
-		-- now verify the whole token
-		local claims, msg;
-		if asapKeyServer then
-			claims, msg = token_util.verify_token(token, appId, pubKey, disableRoomNameConstraints);
-		else
-			claims, msg = token_util.verify_token(token, appId, appSecret, disableRoomNameConstraints);
-		end
-		if claims ~= nil then
-			-- Binds room name to the session which is later checked on MUC join
-			session.jitsi_meet_room = claims["room"];
-			return true;
-		else
-			return false, "not-allowed", msg;
-		end
+        return token_util:process_and_verify_token(session, token);
 	end
 
 	return new_sasl(host, { anonymous = get_username_from_token });

resources/prosody-plugins/mod_token_verification.lua

@@ -21,15 +21,17 @@ if parentCtx == nil then
 	return;
 end
 
-local appId = parentCtx:get_option_string("app_id");
-local appSecret = parentCtx:get_option_string("app_secret");
-local allowEmptyToken = parentCtx:get_option_boolean("allow_empty_token");
-local disableRoomNameConstraints = parentCtx:get_option_boolean("disable_room_name_constraints")
+local token_util = module:require "token/util".new(parentCtx);
+
+-- no token configuration
+if token_util == nil then
+    return;
+end
 
 log("debug",
 	"%s - starting MUC token verifier app_id: %s app_secret: %s allow empty: %s",
-	tostring(host), tostring(appId), tostring(appSecret),
-	tostring(allowEmptyToken));
+	tostring(host), tostring(token_util.appId), tostring(token_util.appSecret),
+	tostring(token_util.allowEmptyToken));
 
 local function verify_user(session, stanza)
 	log("debug", "Session token: %s, session room: %s",
@@ -43,32 +45,18 @@ local function verify_user(session, stanza)
 		return nil;
 	end
 
-	if allowEmptyToken and session.auth_token == nil then
-		module:log(
-			"debug",
-			"Skipped room token verification - empty tokens are allowed");
-		return nil;
-	end
-
-	local room = string.match(stanza.attr.to, "^(%w+)@");
-	log("debug", "Will verify token for user: %s, room: %s ", user_jid, room);
-	if room == nil then
-		log("error",
-			"Unable to get name of the MUC room ? to: %s", stanza.attr.to);
-		return nil;
-	end
-
-	local token = session.auth_token;
-	local auth_room = session.jitsi_meet_room;
-	if disableRoomNameConstraints ~= true and room ~= string.lower(auth_room) then
-		log("error", "Token %s not allowed to join: %s",
-			tostring(token), tostring(auth_room));
-		session.send(
-			st.error_reply(
-				stanza, "cancel", "not-allowed", "Room and token mismatched"));
-		return true;
-	end
-	log("debug", "allowed: %s to enter/create room: %s", user_jid, room);
+    log("debug",
+        "Will verify token for user: %s, room: %s ", user_jid, stanza.attr.to);
+    if not token_util:verify_room(session, stanza.attr.to) then
+        log("error", "Token %s not allowed to join: %s",
+            tostring(session.auth_token), tostring(session.jitsi_meet_room));
+        session.send(
+            st.error_reply(
+                stanza, "cancel", "not-allowed", "Room and token mismatched"));
+        return false; -- we need to just return non nil
+    end
+	log("debug",
+        "allowed: %s to enter/create room: %s", user_jid, stanza.attr.to);
 end
 
 module:hook("muc-room-pre-create", function(event)

resources/prosody-plugins/token/util.lib.lua

@@ -1,40 +1,224 @@
 -- Token authentication
 -- Copyright (C) 2015 Atlassian
 
+local basexx = require "basexx";
+local have_async, async = pcall(require, "util.async");
+local hex = require "util.hex";
 local jwt = require "luajwtjitsi";
+local http = require "net.http";
+local json = require "cjson";
+local path = require "util.paths";
+local sha256 = require "util.hashes".sha256;
+local timer = require "util.timer";
 
-local _M = {};
+local http_timeout = 30;
+local http_headers = {
+    ["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"
+};
 
-local function _verify_token(token, appId, appSecret, disableRoomNameConstraints)
+-- TODO: Figure out a less arbitrary default cache size.
+local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);
+local cache = require"util.cache".new(cacheSize);
 
-	local claims, err = jwt.decode(token, appSecret, true);
-	if claims == nil then
-		return nil, err;
-	end
+local Util = {}
+Util.__index = Util
 
-	local alg = claims["alg"];
-	if alg ~= nil and (alg == "none" or alg == "") then
-		return nil, "'alg' claim must not be empty";
-	end
+--- Constructs util class for token verifications.
+-- Constructor that uses the passed module to extract all the
+-- needed configurations.
+-- If confuguration is missing returns nil
+-- @param module the module in which options to check for configs.
+-- @return the new instance or nil
+function Util.new(module)
+    local self = setmetatable({}, Util)
 
-	local issClaim = claims["iss"];
-	if issClaim == nil then
-		return nil, "'iss' claim is missing";
-	end
-	if issClaim ~= appId then
-		return nil, "Invalid application ID('iss' claim)";
-	end
+    self.appId = module:get_option_string("app_id");
+    self.appSecret = module:get_option_string("app_secret");
+    self.asapKeyServer = module:get_option_string("asap_key_server");
+    self.allowEmptyToken = module:get_option_boolean("allow_empty_token");
+    self.disableRoomNameConstraints = module:get_option_boolean("disable_room_name_constraints");
 
-	local roomClaim = claims["room"];
-	if roomClaim == nil and disableRoomNameConstraints ~= true then
-		return nil, "'room' claim is missing";
-	end
+    if self.allowEmptyToken == true then
+        module:log("warn", "WARNING - empty tokens allowed");
+    end
 
-	return claims;
+    if self.appId == nil then
+        module:log("error", "'app_id' must not be empty");
+        return nil;
+    end
+
+    if self.appSecret == nil and self.asapKeyServer == nil then
+        module:log("error", "'app_secret' or 'asap_key_server' must be specified");
+        return nil;
+    end
+
+    if self.asapKeyServer and not have_async then
+        module:log("error", "requires a version of Prosody with util.async");
+        return nil;
+    end
+
+    return self
+end
+
+--- Returns the public key by keyID
+-- @param keyId the key ID to request
+-- @return the public key (the content of requested resource) or nil
+function Util:get_public_key(keyId)
+    local content = cache:get(keyId);
+    if content == nil then
+        -- If the key is not found in the cache.
+        module:log("debug", "Cache miss for key: "..keyId);
+        local code;
+        local wait, done = async.waiter();
+        local function cb(content_, code_, response_, request_)
+            content, code = content_, code_;
+            if code == 200 or code == 204 then
+                cache:set(keyId, content);
+            end
+            done();
+        end
+        local keyurl = path.join(self.asapKeyServer, hex.to(sha256(keyId))..'.pem');
+        module:log("debug", "Fetching public key from: "..keyurl);
+
+        -- We hash the key ID to work around some legacy behavior and make
+        -- deployment easier. It also helps prevent directory
+        -- traversal attacks (although path cleaning could have done this too).
+        local request = http.request(keyurl, {
+            headers = http_headers or {},
+            method = "GET"
+        }, cb);
+
+        -- TODO: Is the done() call racey? Can we cancel this if the request
+        --       succeedes?
+        local function cancel()
+            -- TODO: This check is racey. Not likely to be a problem, but we should
+            --       still stick a mutex on content / code at some point.
+            if code == nil then
+                http.destroy_request(request);
+                done();
+            end
+        end
+        timer.add_task(http_timeout, cancel);
+        wait();
+
+        if code == 200 or code == 204 then
+            return content;
+        end
+    else
+        -- If the key is in the cache, use it.
+        module:log("debug", "Cache hit for key: "..keyId);
+        return content;
+    end
+
+    return nil;
 end
 
-function _M.verify_token(token, appId, appSecret, disableRoomNameConstraints)
-	return _verify_token(token, appId, appSecret, disableRoomNameConstraints);
+--- Verifies token
+-- @param token the token to verify
+-- @return nil and error or the extracted claims from the token
+function Util:verify_token(token)
+    local claims, err = jwt.decode(token, self.appSecret, true);
+    if claims == nil then
+        return nil, err;
+    end
+
+    local alg = claims["alg"];
+    if alg ~= nil and (alg == "none" or alg == "") then
+        return nil, "'alg' claim must not be empty";
+    end
+
+    local issClaim = claims["iss"];
+    if issClaim == nil then
+        return nil, "'iss' claim is missing";
+    end
+    if issClaim ~= self.appId then
+        return nil, "Invalid application ID('iss' claim)";
+    end
+
+    local roomClaim = claims["room"];
+    if roomClaim == nil and self.disableRoomNameConstraints ~= true then
+        return nil, "'room' claim is missing";
+    end
+
+    return claims;
+end
+
+--- Verifies token and process needed values to be stored in the session.
+-- Stores in session the following values:
+-- session.jitsi_meet_room - the room name value from the token
+-- @param session the current session
+-- @param token the token to verify
+-- @return false and error
+function Util:process_and_verify_token(session, token)
+
+    if token == nil then
+        if self.allowEmptyToken then
+            return true;
+        else
+            return false, "not-allowed", "token required";
+        end
+    end
+
+    local pubKey;
+    if self.asapKeyServer and session.auth_token ~= nil then
+        local dotFirst = session.auth_token:find("%.");
+        if not dotFirst then return nil, "Invalid token" end
+        local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));
+        local kid = header["kid"];
+        if kid == nil then
+            return false, "not-allowed", "'kid' claim is missing";
+        end
+        pubKey = self:get_public_key(kid);
+        if pubKey == nil then
+            return false, "not-allowed", "could not obtain public key";
+        end
+    end
+
+    -- now verify the whole token
+    local claims, msg;
+    if self.asapKeyServer then
+        claims, msg = self:verify_token(token);
+    else
+        claims, msg = self:verify_token(token);
+    end
+    if claims ~= nil then
+        -- Binds room name to the session which is later checked on MUC join
+        session.jitsi_meet_room = claims["room"];
+        return true;
+    else
+        return false, "not-allowed", msg;
+    end
+end
+
+--- Verifies room name if necesarry.
+-- Checks configs and if necessary checks the room name extracted from
+-- room_address against the one saved in the session when token was verified
+-- @param session the current session
+-- @param room_address the whole room address as received
+-- @return returns true in case room was verified or there is no need to verify
+--         it and returns false in case verification was processed
+--         and was not successful
+function Util:verify_room(session, room_address)
+    if self.allowEmptyToken and session.auth_token == nil then
+        module:log(
+            "debug",
+            "Skipped room token verification - empty tokens are allowed");
+        return true;
+    end
+
+    local room = string.match(room_address, "^(%w+)@");
+    if room == nil then
+        log("error",
+            "Unable to get name of the MUC room ? to: %s", room_address);
+        return true;
+    end
+
+    local auth_room = session.jitsi_meet_room;
+    if self.disableRoomNameConstraints ~= true and room ~= string.lower(auth_room) then
+        return false;
+    end
+
+    return true;
 end
 
-return _M;
+return Util;