From 61e637a6394e0bc3ab9b6270f5b0d14923e7421e Mon Sep 17 00:00:00 2001 From: damencho Date: Mon, 17 Apr 2017 16:37:31 -0500 Subject: [PATCH] Adds prosody module to filter incoming rayo iqs based on jwt token. Returns forbidden error message if module is enabled and the user sending a dialout rayo command is not authenticated through jwt token or is not allowed to enter the room name from the rayo iq. --- .../prosody-plugins/mod_filter_iq_rayo.lua | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 resources/prosody-plugins/mod_filter_iq_rayo.lua diff --git a/resources/prosody-plugins/mod_filter_iq_rayo.lua b/resources/prosody-plugins/mod_filter_iq_rayo.lua new file mode 100644 index 000000000..440105a8e --- /dev/null +++ b/resources/prosody-plugins/mod_filter_iq_rayo.lua @@ -0,0 +1,41 @@ +local st = require "util.stanza"; + +local token_util = module:require "token/util".new(module); + +-- no token configuration but required +if token_util == nil then + log("error", "no token configuration but it is required"); + return; +end + +-- filters rayo iq in case of requested from not jwt authenticated sessions +module:hook("pre-iq/full", function(event) + local stanza = event.stanza; + if stanza.name == "iq" then + local dial = stanza:get_child('dial', 'urn:xmpp:rayo:1'); + if dial then + local session = event.origin; + local token = session.auth_token; + + -- find header with attr name 'JvbRoomName' and extract its value + local headerName = 'JvbRoomName'; + local roomName; + for _, child in ipairs(dial.tags) do + if (child.name == 'header' + and child.attr.name == headerName) then + roomName = child.attr.value; + break; + end + end + + if token == nil + or roomName == nil + or not token_util:verify_room(session, roomName) then + module:log("info", + "Filtering stanza dial, stanza:%s", tostring(stanza)); + session.send(st.error_reply(stanza, "auth", "forbidden")); + return true; + end + end + end +end);