jfinn
/
jitsi_corner9
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2170 Commits
4 Branches
Tree: c951f7f3e9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c951f7f3e9'
${ noResults }
jitsi_corner9/prosody-plugins/mod_auth_token.lua

mod_auth_token.lua 5.1KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188 
  1. -- Token authentication

  2. -- Copyright (C) 2015 Atlassian

  3. 

  4. local basexx = require 'basexx';

  5. local have_async, async = pcall(require, "util.async");

  6. local formdecode = require "util.http".formdecode;

  7. local generate_uuid = require "util.uuid".generate;

  8. local http = require "net.http";

  9. local json = require 'cjson'

  10. json.encode_empty_table('array')

  11. local new_sasl = require "util.sasl".new;

  12. local sasl = require "util.sasl";

  13. local timer = require "util.timer";

  14. local token_util = module:require "token/util";

  15. 

  16. -- define auth provider

  17. local provider = {};

  18. 

  19. local host = module.host;

  20. 

  21. local appId = module:get_option_string("app_id");

  22. local appSecret = module:get_option_string("app_secret");

  23. local asapKeyServer = module:get_option_string("asap_key_server");

  24. local allowEmptyToken = module:get_option_boolean("allow_empty_token");

  25. local disableRoomNameConstraints = module:get_option_boolean("disable_room_name_constraints");

  26. 

  27. -- TODO: Figure out a less arbitrary default cache size.

  28. local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);

  29. local cache = require"util.cache".new(cacheSize);

  30. 

  31. if allowEmptyToken == true then

  32. 	module:log("warn", "WARNING - empty tokens allowed");

  33. end

  34. 

  35. if appId == nil then

  36. 	module:log("error", "'app_id' must not be empty");

  37. 	return;

  38. end

  39. 

  40. if appSecret == nil and asapKeyServer == nil then

  41. 	module:log("error", "'app_secret' or 'asap_key_server' must be specified");

  42. 	return;

  43. end

  44. 

  45. if asapKeyServer and not have_async then

  46. 	module:log("error", "requires a version of Prosody with util.async");

  47. 	return;

  48. end

  49. 

  50. -- Extract 'token' param from BOSH URL when session is created

  51. module:hook("bosh-session", function(event)

  52. 	local session, request = event.session, event.request;

  53. 	local query = request.url.query;

  54. 	if query ~= nil then

  55. 		session.auth_token = query and formdecode(query).token or nil;

  56. 	end

  57. end)

  58. 

  59. function provider.test_password(username, password)

  60. 	return nil, "Password based auth not supported";

  61. end

  62. 

  63. function provider.get_password(username)

  64. 	return nil;

  65. end

  66. 

  67. function provider.set_password(username, password)

  68. 	return nil, "Set password not supported";

  69. end

  70. 

  71. function provider.user_exists(username)

  72. 	return nil;

  73. end

  74. 

  75. function provider.create_user(username, password)

  76. 	return nil;

  77. end

  78. 

  79. function provider.delete_user(username)

  80. 	return nil;

  81. end

  82. 

  83. local http_timeout = 30;

  84. local http_headers = {

  85. 	["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"

  86. };

  87. 

  88. function get_public_key(keyId)

  89. 	local content = cache:get(keyId);

  90. 	if content == nil then

  91. 		-- If the key is not found in the cache.

  92. 		module:log("debug", "Cache miss for key: "..keyId);

  93. 		local code;

  94. 		local wait, done = async.waiter();

  95. 		local function cb(content_, code_, response_, request_)

  96. 			content, code = content_, code_;

  97. 			done();

  98. 		end

  99. 		module:log("debug", "Fetching public key from: "..asapKeyServer..keyId);

  100. 		local request = http.request(asapKeyServer..keyId, {

  101. 			headers = http_headers or {},

  102. 			method = "GET"

  103. 		}, cb);

  104. 		-- TODO: Is the done() call racey? Can we cancel this if the request

  105. 		--       succeedes?

  106. 		timer.add_task(http_timeout, function() http.destroy_request(request); done(); end);

  107. 		wait();

  108. 

  109. 		if code == 200 or code == 204 then

  110. 			module:log("debug", "Cache hit for key: "..keyId);

  111. 			return content;

  112. 		end

  113. 	else

  114. 		-- If the key is in the cache, use it.

  115. 		return content;

  116. 	end

  117. 

  118. 	return nil;

  119. end

  120. 

  121. function provider.get_sasl_handler(session)

  122. 	-- JWT token extracted from BOSH URL

  123. 	local token = session.auth_token;

  124. 

  125. 	local function get_username_from_token(self, message)

  126. 

  127. 		if token == nil then

  128. 			if allowEmptyToken then

  129. 				return true;

  130. 			else

  131. 				return false, "not-allowed", "token required";

  132. 			end

  133. 		end

  134. 

  135. 		local pubKey;

  136. 		if asapKeyServer and session.auth_token ~= nil then

  137. 			local dotFirst = session.auth_token:find("%.")

  138. 			if not dotFirst then return nil, "Invalid token" end

  139. 			local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)))

  140. 			local kid = header["kid"]

  141. 			if kid == nil then

  142. 				return false, "not-allowed", "'kid' claim is missing";

  143. 			end

  144. 			pubKey = get_public_key(kid);

  145. 			if pubKey == nil then

  146. 				return false, "not-allowed", "could not obtain public key";

  147. 			end

  148. 		end

  149. 

  150. 		-- now verify the whole token

  151. 		local result, msg;

  152. 		if asapKeyServer then

  153. 			result, msg = token_util.verify_token(token, appId, pubKey, disableRoomNameConstraints);

  154. 		else

  155. 			result, msg = token_util.verify_token(token, appId, appSecret, disableRoomNameConstraints);

  156. 		end

  157. 		if result == true then

  158. 			-- Binds room name to the session which is later checked on MUC join

  159. 			session.jitsi_meet_room = room;

  160. 			return true;

  161. 		else

  162. 			return false, "not-allowed", msg

  163. 		end

  164. 	end

  165. 

  166. 	return new_sasl(host, { anonymous = get_username_from_token });

  167. end

  168. 

  169. module:provides("auth", provider);

  170. 

  171. local function anonymous(self, message)

  172. 

  173. 	local username = generate_uuid();

  174. 

  175. 	-- This calls the handler created in 'provider.get_sasl_handler(session)'

  176. 	local result, err, msg = self.profile.anonymous(self, username, self.realm);

  177. 

  178. 	self.username = username;

  179. 

  180. 	if result == true then

  181. 		return "success"

  182. 	else

  183. 

  184. 		return "failure", err, msg

  185. 	end

  186. end

  187. 

  188. sasl.registerMechanism("ANONYMOUS", {"anonymous"}, anonymous);