Merge pull request #825 from SamWhited/mod_token_improvements

Mod token improvements
2016-08-31 12:48:04 -05:00 · 2016-08-31 12:48:04 -05:00 · 9ba62c320b
parent d9559ecf63 3128628d09
commit 9ba62c320b
1 changed files with 10 additions and 1 deletions
--- a/prosody-plugins/mod_auth_token.lua
+++ b/prosody-plugins/mod_auth_token.lua
@ -9,6 +9,7 @@ local http = require "net.http";
 local json = require "cjson";
 local new_sasl = require "util.sasl".new;
 local sasl = require "util.sasl";
+local sha256 = require "util.hashes".sha256;
 local timer = require "util.timer";
 local token_util = module:require "token/util";

@ -93,13 +94,21 @@ function get_public_key(keyId)
 		local wait, done = async.waiter();
 		local function cb(content_, code_, response_, request_)
 			content, code = content_, code_;
+			if code == 200 or code == 204 then
+				cache:set(keyId, content);
+			end
 			done();
 		end
 		module:log("debug", "Fetching public key from: "..asapKeyServer..keyId);
-		local request = http.request(asapKeyServer..keyId, {
+
+		-- We hash the key ID to work around some legacy behavior and make
+		-- deployment easier. It also helps prevent directory
+		-- traversal attacks (although path cleaning could have done this too).
+		local request = http.request(asapKeyServer..sha256(keyId)..'.pem', {
 			headers = http_headers or {},
 			method = "GET"
 		}, cb);
+
 		-- TODO: Is the done() call racey? Can we cancel this if the request
 		--       succeedes?
 		local function cancel()