haskal
/
jiti-meet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SHA256 hash the kid claim before fetching tokens

This commit is contained in:
Sam Whited 2016-08-31 09:24:15 -05:00
parent d9559ecf63
commit d8c4c0627a
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
prosody-plugins/mod_auth_token.lua
View File

@ -9,6 +9,7 @@ local http = require "net.http";
local json = require "cjson"; local json = require "cjson";
local new_sasl = require "util.sasl".new; local new_sasl = require "util.sasl".new;
local sasl = require "util.sasl"; local sasl = require "util.sasl";
local sha256 = require "util.hashes".sha256;
local timer = require "util.timer"; local timer = require "util.timer";
local token_util = module:require "token/util"; local token_util = module:require "token/util";
@ -96,10 +97,15 @@ function get_public_key(keyId)
done(); done();
end end
module:log("debug", "Fetching public key from: "..asapKeyServer..keyId); module:log("debug", "Fetching public key from: "..asapKeyServer..keyId);
local request = http.request(asapKeyServer..keyId, {
-- We hash the key ID to work around some legacy behavior in the original
-- deployment and make deployment easier. It also helps prevent directory
-- traversal attacks (although path cleaning could have done this too).
local request = http.request(asapKeyServer..sha256(keyId)..'.pem', {
headers = http_headers or {}, headers = http_headers or {},
method = "GET" method = "GET"
}, cb); }, cb);
-- TODO: Is the done() call racey? Can we cancel this if the request -- TODO: Is the done() call racey? Can we cancel this if the request
-- succeedes? -- succeedes?
local function cancel() local function cancel()