added checks for audience and issuer values (#1772)
* added checks for audience and issuer values default audience and issuer checks to validate only appId added missing documentation lines from the previous PR for context_user and context_group session values * support for accepting any audience option set to accept any audience by default
This commit is contained in:
parent
3de6f1cd7f
commit
622d4ba89c
|
@ -86,6 +86,12 @@ function Util.new(module)
|
||||||
return nil;
|
return nil;
|
||||||
end
|
end
|
||||||
|
|
||||||
|
--array of accepted issuers: by default only includes our appId
|
||||||
|
self.acceptedIssuers = module:get_option_array('asap_accepted_issuers',{self.appId})
|
||||||
|
|
||||||
|
--array of accepted audiences: by default only includes our appId
|
||||||
|
self.acceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'})
|
||||||
|
|
||||||
if self.asapKeyServer and not have_async then
|
if self.asapKeyServer and not have_async then
|
||||||
module:log("error", "requires a version of Prosody with util.async");
|
module:log("error", "requires a version of Prosody with util.async");
|
||||||
return nil;
|
return nil;
|
||||||
|
@ -147,6 +153,38 @@ function Util:get_public_key(keyId)
|
||||||
return nil;
|
return nil;
|
||||||
end
|
end
|
||||||
|
|
||||||
|
--- Verifies issuer part of token
|
||||||
|
-- @param 'iss' claim from the token to verify
|
||||||
|
-- @return nil and error string or true for accepted claim
|
||||||
|
function Util:verify_issuer(issClaim)
|
||||||
|
for i, iss in ipairs(self.acceptedIssuers) do
|
||||||
|
if issClaim == iss then
|
||||||
|
--claim matches an accepted issuer so return success
|
||||||
|
return true;
|
||||||
|
end
|
||||||
|
end
|
||||||
|
--if issClaim not found in acceptedIssuers, fail claim
|
||||||
|
return nil, "Invalid issuer ('iss' claim)";
|
||||||
|
end
|
||||||
|
|
||||||
|
--- Verifies audience part of token
|
||||||
|
-- @param 'aud' claim from the token to verify
|
||||||
|
-- @return nil and error string or true for accepted claim
|
||||||
|
function Util:verify_audience(audClaim)
|
||||||
|
for i, aud in ipairs(self.acceptedAudiences) do
|
||||||
|
if aud == '*' then
|
||||||
|
--* indicates to accept any audience in the claims so return success
|
||||||
|
return true;
|
||||||
|
end
|
||||||
|
if audClaim == aud then
|
||||||
|
--claim matches an accepted audience so return success
|
||||||
|
return true;
|
||||||
|
end
|
||||||
|
end
|
||||||
|
--if issClaim not found in acceptedIssuers, fail claim
|
||||||
|
return nil, "Invalid audience ('aud' claim)";
|
||||||
|
end
|
||||||
|
|
||||||
--- Verifies token
|
--- Verifies token
|
||||||
-- @param token the token to verify
|
-- @param token the token to verify
|
||||||
-- @param secret the secret to use to verify token
|
-- @param secret the secret to use to verify token
|
||||||
|
@ -166,8 +204,10 @@ function Util:verify_token(token, secret)
|
||||||
if issClaim == nil then
|
if issClaim == nil then
|
||||||
return nil, "'iss' claim is missing";
|
return nil, "'iss' claim is missing";
|
||||||
end
|
end
|
||||||
if issClaim ~= self.appId then
|
--check the issuer against the accepted list
|
||||||
return nil, "Invalid application ID('iss' claim)";
|
local issCheck, issCheckErr = self:verify_issuer(issClaim);
|
||||||
|
if issCheck == nil then
|
||||||
|
return nil, issCheckErr;
|
||||||
end
|
end
|
||||||
|
|
||||||
local roomClaim = claims["room"];
|
local roomClaim = claims["room"];
|
||||||
|
@ -179,6 +219,11 @@ function Util:verify_token(token, secret)
|
||||||
if audClaim == nil then
|
if audClaim == nil then
|
||||||
return nil, "'aud' claim is missing";
|
return nil, "'aud' claim is missing";
|
||||||
end
|
end
|
||||||
|
--check the audience against the accepted list
|
||||||
|
local audCheck, audCheckErr = self:verify_audience(audClaim);
|
||||||
|
if audCheck == nil then
|
||||||
|
return nil, audCheckErr;
|
||||||
|
end
|
||||||
|
|
||||||
return claims;
|
return claims;
|
||||||
end
|
end
|
||||||
|
@ -188,6 +233,8 @@ end
|
||||||
-- Stores in session the following values:
|
-- Stores in session the following values:
|
||||||
-- session.jitsi_meet_room - the room name value from the token
|
-- session.jitsi_meet_room - the room name value from the token
|
||||||
-- session.jitsi_meet_domain - the domain name value from the token
|
-- session.jitsi_meet_domain - the domain name value from the token
|
||||||
|
-- session.jitsi_meet_context_user - the user details from the token
|
||||||
|
-- session.jitsi_meet_context_group - the group value from the token
|
||||||
-- @param session the current session
|
-- @param session the current session
|
||||||
-- @return false and error
|
-- @return false and error
|
||||||
function Util:process_and_verify_token(session)
|
function Util:process_and_verify_token(session)
|
||||||
|
|
Loading…
Reference in New Issue