mirror of
https://github.com/processone/ejabberd.git
synced 2024-12-22 17:28:25 +01:00
Add support for sending back missing scope error to API ReST command calls
This commit is contained in:
parent
4bf8ce7681
commit
674a8039ef
@ -51,7 +51,7 @@ mech_step(State, ClientIn) ->
|
||||
{ok,
|
||||
[{username, User}, {authzid, AuthzId},
|
||||
{auth_module, ejabberd_oauth}]};
|
||||
false ->
|
||||
_ ->
|
||||
{error, <<"not-authorized">>, User}
|
||||
end;
|
||||
_ -> {error, <<"bad-protocol">>}
|
||||
|
@ -682,7 +682,7 @@ check_auth(Command, {User, Server, {oauth, Token}, _}) ->
|
||||
case ejabberd_oauth:check_token(User, Server, ScopeList, Token) of
|
||||
true ->
|
||||
{ok, User, Server};
|
||||
false ->
|
||||
_ ->
|
||||
throw({error, invalid_account_data})
|
||||
end;
|
||||
check_auth(_Command, {User, Server, Password, _}) when is_binary(Password) ->
|
||||
|
@ -321,12 +321,17 @@ check_token(User, Server, ScopeList, Token) ->
|
||||
expire = Expire}] ->
|
||||
{MegaSecs, Secs, _} = os:timestamp(),
|
||||
TS = 1000000 * MegaSecs + Secs,
|
||||
TokenScopeSet = oauth2_priv_set:new(TokenScope),
|
||||
lists:any(fun(Scope) ->
|
||||
oauth2_priv_set:is_member(Scope, TokenScopeSet) end,
|
||||
ScopeList) andalso Expire > TS;
|
||||
if
|
||||
Expire > TS ->
|
||||
TokenScopeSet = oauth2_priv_set:new(TokenScope),
|
||||
lists:any(fun(Scope) ->
|
||||
oauth2_priv_set:is_member(Scope, TokenScopeSet) end,
|
||||
ScopeList);
|
||||
true ->
|
||||
{false, expired}
|
||||
end;
|
||||
_ ->
|
||||
false
|
||||
{false, not_found}
|
||||
end.
|
||||
|
||||
check_token(ScopeList, Token) ->
|
||||
@ -336,15 +341,20 @@ check_token(ScopeList, Token) ->
|
||||
expire = Expire}] ->
|
||||
{MegaSecs, Secs, _} = os:timestamp(),
|
||||
TS = 1000000 * MegaSecs + Secs,
|
||||
TokenScopeSet = oauth2_priv_set:new(TokenScope),
|
||||
case lists:any(fun(Scope) ->
|
||||
oauth2_priv_set:is_member(Scope, TokenScopeSet) end,
|
||||
ScopeList) andalso Expire > TS of
|
||||
true -> {ok, user, US};
|
||||
false -> false
|
||||
if
|
||||
Expire > TS ->
|
||||
TokenScopeSet = oauth2_priv_set:new(TokenScope),
|
||||
case lists:any(fun(Scope) ->
|
||||
oauth2_priv_set:is_member(Scope, TokenScopeSet) end,
|
||||
ScopeList) of
|
||||
true -> {ok, user, US};
|
||||
false -> {false, no_matching_scope}
|
||||
end;
|
||||
true ->
|
||||
{false, expired}
|
||||
end;
|
||||
_ ->
|
||||
false
|
||||
{false, not_found}
|
||||
end.
|
||||
|
||||
|
||||
|
@ -162,14 +162,15 @@ check_permissions2(#request{auth = HTTPAuth, headers = Headers}, Call, _, ScopeL
|
||||
case oauth_check_token(ScopeList, Token) of
|
||||
{ok, user, {User, Server}} ->
|
||||
{ok, {User, Server, {oauth, Token}, Admin}};
|
||||
false ->
|
||||
false
|
||||
{false, Reason} ->
|
||||
{false, Reason}
|
||||
end;
|
||||
_ ->
|
||||
false
|
||||
end,
|
||||
case Auth of
|
||||
{ok, A} -> {allowed, Call, A};
|
||||
{false, no_matching_scope} -> outofscope_response();
|
||||
_ -> unauthorized_response()
|
||||
end;
|
||||
check_permissions2(_Request, Call, open, _Scope) ->
|
||||
@ -189,7 +190,7 @@ check_permissions2(#request{ip={IP, _Port}}, Call, _Policy, _Scope) ->
|
||||
Commands when is_list(Commands) ->
|
||||
case lists:member(Call, Commands) of
|
||||
true -> {allowed, Call, admin};
|
||||
_ -> unauthorized_response()
|
||||
_ -> outofscope_response()
|
||||
end;
|
||||
_E ->
|
||||
{allowed, Call, noauth}
|
||||
@ -495,6 +496,7 @@ format_result(Tuple, {Name, {tuple, Def}}) ->
|
||||
format_result(404, {_Name, _}) ->
|
||||
"not_found".
|
||||
|
||||
|
||||
format_error_result(conflict, Code, Msg) ->
|
||||
{409, Code, iolist_to_binary(Msg)};
|
||||
format_error_result(_ErrorAtom, Code, Msg) ->
|
||||
@ -503,6 +505,9 @@ format_error_result(_ErrorAtom, Code, Msg) ->
|
||||
unauthorized_response() ->
|
||||
json_error(401, 10, <<"Oauth Token is invalid or expired.">>).
|
||||
|
||||
outofscope_response() ->
|
||||
json_error(401, 11, <<"Token does not grant usage to command required scope.">>).
|
||||
|
||||
badrequest_response() ->
|
||||
badrequest_response(<<"400 Bad Request">>).
|
||||
badrequest_response(Body) ->
|
||||
|
Loading…
Reference in New Issue
Block a user