From d8c4c0627a6ed343a97c42e26a387e03f33b462a Mon Sep 17 00:00:00 2001
From: Sam Whited <sam@samwhited.com>
Date: Wed, 31 Aug 2016 09:24:15 -0500
Subject: [PATCH 1/2] SHA256 hash the kid claim before fetching tokens

---
 prosody-plugins/mod_auth_token.lua | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/prosody-plugins/mod_auth_token.lua b/prosody-plugins/mod_auth_token.lua
index 077a1b840..4aa14d137 100644
--- a/prosody-plugins/mod_auth_token.lua
+++ b/prosody-plugins/mod_auth_token.lua
@@ -9,6 +9,7 @@ local http = require "net.http";
 local json = require "cjson";
 local new_sasl = require "util.sasl".new;
 local sasl = require "util.sasl";
+local sha256 = require "util.hashes".sha256;
 local timer = require "util.timer";
 local token_util = module:require "token/util";
 
@@ -96,10 +97,15 @@ function get_public_key(keyId)
 			done();
 		end
 		module:log("debug", "Fetching public key from: "..asapKeyServer..keyId);
-		local request = http.request(asapKeyServer..keyId, {
+
+		-- We hash the key ID to work around some legacy behavior in the original
+		-- deployment and make deployment easier. It also helps prevent directory
+		-- traversal attacks (although path cleaning could have done this too).
+		local request = http.request(asapKeyServer..sha256(keyId)..'.pem', {
 			headers = http_headers or {},
 			method = "GET"
 		}, cb);
+
 		-- TODO: Is the done() call racey? Can we cancel this if the request
 		--       succeedes?
 		local function cancel()

From 3128628d091f051fdb9bb444fce206b4c8e51946 Mon Sep 17 00:00:00 2001
From: Sam Whited <sam@samwhited.com>
Date: Wed, 31 Aug 2016 09:25:10 -0500
Subject: [PATCH 2/2] Populate the token cache

---
 prosody-plugins/mod_auth_token.lua | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/prosody-plugins/mod_auth_token.lua b/prosody-plugins/mod_auth_token.lua
index 4aa14d137..b43f45d4a 100644
--- a/prosody-plugins/mod_auth_token.lua
+++ b/prosody-plugins/mod_auth_token.lua
@@ -94,12 +94,15 @@ function get_public_key(keyId)
 		local wait, done = async.waiter();
 		local function cb(content_, code_, response_, request_)
 			content, code = content_, code_;
+			if code == 200 or code == 204 then
+				cache:set(keyId, content);
+			end
 			done();
 		end
 		module:log("debug", "Fetching public key from: "..asapKeyServer..keyId);
 
-		-- We hash the key ID to work around some legacy behavior in the original
-		-- deployment and make deployment easier. It also helps prevent directory
+		-- We hash the key ID to work around some legacy behavior and make
+		-- deployment easier. It also helps prevent directory
 		-- traversal attacks (although path cleaning could have done this too).
 		local request = http.request(asapKeyServer..sha256(keyId)..'.pem', {
 			headers = http_headers or {},