diff options
| -rw-r--r-- | src/cyrsasl_oauth.erl | 2 | ||||
| -rw-r--r-- | src/ejabberd_commands.erl | 2 | ||||
| -rw-r--r-- | src/ejabberd_oauth.erl | 34 | ||||
| -rw-r--r-- | src/mod_http_api.erl | 11 |
4 files changed, 32 insertions, 17 deletions
diff --git a/src/cyrsasl_oauth.erl b/src/cyrsasl_oauth.erl index 16f1e3dfb..80ba315ed 100644 --- a/src/cyrsasl_oauth.erl +++ b/src/cyrsasl_oauth.erl @@ -51,7 +51,7 @@ mech_step(State, ClientIn) -> {ok, [{username, User}, {authzid, AuthzId}, {auth_module, ejabberd_oauth}]}; - false -> + _ -> {error, <<"not-authorized">>, User} end; _ -> {error, <<"bad-protocol">>} diff --git a/src/ejabberd_commands.erl b/src/ejabberd_commands.erl index 2c095440f..d9497322f 100644 --- a/src/ejabberd_commands.erl +++ b/src/ejabberd_commands.erl @@ -682,7 +682,7 @@ check_auth(Command, {User, Server, {oauth, Token}, _}) -> case ejabberd_oauth:check_token(User, Server, ScopeList, Token) of true -> {ok, User, Server}; - false -> + _ -> throw({error, invalid_account_data}) end; check_auth(_Command, {User, Server, Password, _}) when is_binary(Password) -> diff --git a/src/ejabberd_oauth.erl b/src/ejabberd_oauth.erl index 0ac18b7ef..531f27749 100644 --- a/src/ejabberd_oauth.erl +++ b/src/ejabberd_oauth.erl @@ -321,12 +321,17 @@ check_token(User, Server, ScopeList, Token) -> expire = Expire}] -> {MegaSecs, Secs, _} = os:timestamp(), TS = 1000000 * MegaSecs + Secs, - TokenScopeSet = oauth2_priv_set:new(TokenScope), - lists:any(fun(Scope) -> - oauth2_priv_set:is_member(Scope, TokenScopeSet) end, - ScopeList) andalso Expire > TS; + if + Expire > TS -> + TokenScopeSet = oauth2_priv_set:new(TokenScope), + lists:any(fun(Scope) -> + oauth2_priv_set:is_member(Scope, TokenScopeSet) end, + ScopeList); + true -> + {false, expired} + end; _ -> - false + {false, not_found} end. check_token(ScopeList, Token) -> @@ -336,15 +341,20 @@ check_token(ScopeList, Token) -> expire = Expire}] -> {MegaSecs, Secs, _} = os:timestamp(), TS = 1000000 * MegaSecs + Secs, - TokenScopeSet = oauth2_priv_set:new(TokenScope), - case lists:any(fun(Scope) -> - oauth2_priv_set:is_member(Scope, TokenScopeSet) end, - ScopeList) andalso Expire > TS of - true -> {ok, user, US}; - false -> false + if + Expire > TS -> + TokenScopeSet = oauth2_priv_set:new(TokenScope), + case lists:any(fun(Scope) -> + oauth2_priv_set:is_member(Scope, TokenScopeSet) end, + ScopeList) of + true -> {ok, user, US}; + false -> {false, no_matching_scope} + end; + true -> + {false, expired} end; _ -> - false + {false, not_found} end. diff --git a/src/mod_http_api.erl b/src/mod_http_api.erl index 6f6d59cda..cda4d6059 100644 --- a/src/mod_http_api.erl +++ b/src/mod_http_api.erl @@ -162,14 +162,15 @@ check_permissions2(#request{auth = HTTPAuth, headers = Headers}, Call, _, ScopeL case oauth_check_token(ScopeList, Token) of {ok, user, {User, Server}} -> {ok, {User, Server, {oauth, Token}, Admin}}; - false -> - false + {false, Reason} -> + {false, Reason} end; _ -> false end, case Auth of {ok, A} -> {allowed, Call, A}; + {false, no_matching_scope} -> outofscope_response(); _ -> unauthorized_response() end; check_permissions2(_Request, Call, open, _Scope) -> @@ -189,7 +190,7 @@ check_permissions2(#request{ip={IP, _Port}}, Call, _Policy, _Scope) -> Commands when is_list(Commands) -> case lists:member(Call, Commands) of true -> {allowed, Call, admin}; - _ -> unauthorized_response() + _ -> outofscope_response() end; _E -> {allowed, Call, noauth} @@ -495,6 +496,7 @@ format_result(Tuple, {Name, {tuple, Def}}) -> format_result(404, {_Name, _}) -> "not_found". + format_error_result(conflict, Code, Msg) -> {409, Code, iolist_to_binary(Msg)}; format_error_result(_ErrorAtom, Code, Msg) -> @@ -503,6 +505,9 @@ format_error_result(_ErrorAtom, Code, Msg) -> unauthorized_response() -> json_error(401, 10, <<"Oauth Token is invalid or expired.">>). +outofscope_response() -> + json_error(401, 11, <<"Token does not grant usage to command required scope.">>). + badrequest_response() -> badrequest_response(<<"400 Bad Request">>). badrequest_response(Body) -> |