jfinn
/
jitsi_corner9
Beobachten 1
Favorisieren 0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen mit entweder einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
2168 Commits
4 Branches
Struktur: feb1d9d8e1
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „feb1d9d8e1“
${ noResults }
jitsi_corner9/prosody-plugins/mod_auth_token.lua

mod_auth_token.lua 5.0KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187 
  1. -- Token authentication

  2. -- Copyright (C) 2015 Atlassian

  3. 

  4. local basexx = require 'basexx';

  5. local have_async, async = pcall(require, "util.async");

  6. local formdecode = require "util.http".formdecode;

  7. local generate_uuid = require "util.uuid".generate;

  8. local http = require "net.http";

  9. local json = require 'cjson'

  10. json.encode_empty_table('array')

  11. local new_sasl = require "util.sasl".new;

  12. local path = require "util.paths";

  13. local sasl = require "util.sasl";

  14. local timer = require "util.timer";

  15. local token_util = module:require "token/util";

  16. 

  17. -- define auth provider

  18. local provider = {};

  19. 

  20. local host = module.host;

  21. 

  22. local appId = module:get_option_string("app_id");

  23. local appSecret = module:get_option_string("app_secret");

  24. local asapKeyServer = module:get_option_string("asap_key_server");

  25. local allowEmptyToken = module:get_option_boolean("allow_empty_token");

  26. local disableRoomNameConstraints = module:get_option_boolean("disable_room_name_constraints");

  27. 

  28. -- TODO: Figure out a less arbitrary default cache size.

  29. local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);

  30. local cache = require"util.cache".new(cacheSize);

  31. 

  32. if allowEmptyToken == true then

  33. 	module:log("warn", "WARNING - empty tokens allowed");

  34. end

  35. 

  36. if appId == nil then

  37. 	module:log("error", "'app_id' must not be empty");

  38. 	return;

  39. end

  40. 

  41. if appSecret == nil and asapKeyServer == nil then

  42. 	module:log("error", "'app_secret' or 'asap_key_server' must be specified");

  43. 	return;

  44. end

  45. 

  46. if asapKeyServer and not have_async then

  47. 	module:log("error", "requires a version of Prosody with util.async");

  48. 	return;

  49. end

  50. 

  51. -- Extract 'token' param from BOSH URL when session is created

  52. module:hook("bosh-session", function(event)

  53. 	local session, request = event.session, event.request;

  54. 	local query = request.url.query;

  55. 	if query ~= nil then

  56. 		session.auth_token = query and formdecode(query).token or nil;

  57. 	end

  58. end)

  59. 

  60. function provider.test_password(username, password)

  61. 	return nil, "Password based auth not supported";

  62. end

  63. 

  64. function provider.get_password(username)

  65. 	return nil;

  66. end

  67. 

  68. function provider.set_password(username, password)

  69. 	return nil, "Set password not supported";

  70. end

  71. 

  72. function provider.user_exists(username)

  73. 	return nil;

  74. end

  75. 

  76. function provider.create_user(username, password)

  77. 	return nil;

  78. end

  79. 

  80. function provider.delete_user(username)

  81. 	return nil;

  82. end

  83. 

  84. local http_timeout = 30;

  85. local http_headers = {

  86. 	["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"

  87. };

  88. 

  89. function get_public_key(keyId)

  90. 	local content = cache:get(keyId);

  91. 	if content == nil then

  92. 		-- If the key is not found in the cache.

  93. 		module:log("debug", "Cache miss for key: "..keyId);

  94. 		local code;

  95. 		local wait, done = async.waiter();

  96. 		local function cb(content_, code_, response_, request_)

  97. 			content, code = content_, code_;

  98. 			done();

  99. 		end

  100. 		local request = http.request(path.join(asapKeyServer, keyId), {

  101. 			headers = http_headers or {},

  102. 			method = "GET"

  103. 		}, cb);

  104. 		-- TODO: Is the done() call racey?

  105. 		timer.add_task(http_timeout, function() http.destroy_request(request); done(); end);

  106. 		wait();

  107. 

  108. 		if code == 200 or code == 204 then

  109. 			module:log("debug", "Cache hit for key: "..keyId);

  110. 			return content;

  111. 		end

  112. 	else

  113. 		-- If the key is in the cache, use it.

  114. 		return content;

  115. 	end

  116. 

  117. 	return nil

  118. end

  119. 

  120. function provider.get_sasl_handler(session)

  121. 	-- JWT token extracted from BOSH URL

  122. 	local token = session.auth_token;

  123. 

  124. 	local function get_username_from_token(self, message)

  125. 

  126. 		if token == nil then

  127. 			if allowEmptyToken then

  128. 				return true

  129. 			else

  130. 				return false, "not-allowed", "token required";

  131. 			end

  132. 		end

  133. 

  134. 		local pubKey;

  135. 		if asapKeyServer and session.auth_token ~= nil then

  136. 			local dotFirst = session.auth_token:find("%.")

  137. 			if not dotFirst then return nil, "Invalid token" end

  138. 			local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)))

  139. 			local kid = header["kid"]

  140. 			if kid == nil then

  141. 				return false, "not-allowed", "'kid' claim is missing";

  142. 			end

  143. 			pubKey = get_public_key(kid);

  144. 			if pubKey == nil then

  145. 				return false, "not-allowed", "could not obtain public key";

  146. 			end

  147. 		end

  148. 

  149. 		-- now verify the whole token

  150. 		local result, msg;

  151. 		if asapKeyServer then

  152. 			result, msg = token_util.verify_token(token, appId, pubKey, disableRoomNameConstraints);

  153. 		else

  154. 			result, msg = token_util.verify_token(token, appId, appSecret, disableRoomNameConstraints);

  155. 		end

  156. 		if result == true then

  157. 			-- Binds room name to the session which is later checked on MUC join

  158. 			session.jitsi_meet_room = room;

  159. 			return true

  160. 		else

  161. 			return false, "not-allowed", msg

  162. 		end

  163. 	end

  164. 

  165. 	return new_sasl(host, { anonymous = get_username_from_token });

  166. end

  167. 

  168. module:provides("auth", provider);

  169. 

  170. local function anonymous(self, message)

  171. 

  172. 	local username = generate_uuid();

  173. 

  174. 	-- This calls the handler created in 'provider.get_sasl_handler(session)'

  175. 	local result, err, msg = self.profile.anonymous(self, username, self.realm);

  176. 

  177. 	self.username = username;

  178. 

  179. 	if result == true then

  180. 		return "success"

  181. 	else

  182. 

  183. 		return "failure", err, msg

  184. 	end

  185. end

  186. 

  187. sasl.registerMechanism("ANONYMOUS", {"anonymous"}, anonymous);