Prosody auth WIP.

2021-05-03 20:37:23 +02:00 · 2021-05-03 20:37:23 +02:00 · 4a4ffaae2d
commit 4a4ffaae2d
parent d2e36344af
8 changed files with 414 additions and 12 deletions
--- a/conversejs/builtin.ts
+++ b/conversejs/builtin.ts
@ -14,14 +14,43 @@ function inIframe (): boolean {
  }
 }

+function authenticatedMode (): boolean {
+  if (!window.fetch) {
+    console.error('Your browser has not the fetch api, we cant log you in')
+    return false
+  }
+  if (!window.localStorage) {
+    // FIXME: is the Peertube token always in localStorage?
+    console.error('Your browser has no localStorage, we cant log you in')
+    return false
+  }
+  const tokenType = window.localStorage.getItem('token_type') ?? ''
+  const accessToken = window.localStorage.getItem('access_token') ?? ''
+  const refreshToken = window.localStorage.getItem('refresh_token') ?? ''
+  if (tokenType === '' && accessToken === '' && refreshToken === '') {
+    console.info('User seems not to be logged in.')
+    return false
+  }
+  return true
+}
+
+interface InitConverseParams {
+  jid: string
+  assetsPath: string
+  room: string
+  boshServiceUrl: string
+  websocketServiceUrl: string
+  tryAuthenticatedMode: string
+}
 window.initConverse = function initConverse ({
  jid,
  assetsPath,
  room,
  boshServiceUrl,
-  websocketServiceUrl
-}) {
-  window.converse.initialize({
+  websocketServiceUrl,
+  tryAuthenticatedMode
+}: InitConverseParams) {
+  const params: any = {
    assets_path: assetsPath,

    authentication: 'anonymous',
@ -53,7 +82,21 @@ window.initConverse = function initConverse ({
    show_client_info: false,
    allow_adhoc_commands: false,
    allow_contact_requests: false,
+    allow_logout: false,
    show_controlbox_by_default: false,
-    view_mode: 'fullscreen'
-  })
+    view_mode: 'fullscreen',
+    allow_message_corrections: true,
+    allow_message_retraction: 'all'
+  }
+
+  if (tryAuthenticatedMode === 'true' && authenticatedMode()) {
+    params.authentication = 'login'
+    params.auto_login = true
+    params.auto_reconnect = true
+    params.jid = 'john@localhost'
+    params.password = 'password'
+    // FIXME: use params.oauth_providers?
+  }
+
+  window.converse.initialize(params)
 }
--- a/conversejs/index.html
+++ b/conversejs/index.html
@ -24,6 +24,7 @@
    room: '{{ROOM}}',
    boshServiceUrl: '{{BOSH_SERVICE_URL}}',
    websocketServiceUrl: '{{WS_SERVICE_URL}}',
+    tryAuthenticatedMode: '{{TRY_AUTHENTICATED_MODE}}'
  })
 </script>
 </body>
--- a/prosody-modules/mod_auth_http/README.markdown
+++ b/prosody-modules/mod_auth_http/README.markdown
@ -0,0 +1,128 @@
+---
+labels:
+- Stage-Alpha
+summary: "Authenticate users against an external HTTP API"
+...
+
+# Overview
+
+This authentication module allows Prosody to authenticate users against
+an external HTTP service.
+
+# Configuration
+
+``` lua
+VirtualHost "example.com"
+  authentication = "http"
+  http_auth_url = "http://example.com/auth"
+```
+
+If the API requires Prosody to authenticate, you can provide static
+credentials using HTTP Basic authentication, like so:
+
+```
+http_auth_credentials = "prosody:secret-password"
+```
+
+# Developers
+
+This section contains information for developers who wish to implement a
+HTTP service that Prosody can use for authentication.
+
+## Protocol
+
+Prosody will make a HTTP request to the configured API URL with an
+appended `/METHOD` where `METHOD` is one of the methods described below.
+
+GET methods must expect a series of URL-encoded query parameters, while
+POST requests will receive an URL-encoded form (i.e.
+`application/x-www-form-urlencoded`).
+
+## Parameters
+
+user
+: The username, e.g. `stephanie` for the JID `stephanie@example.com`.
+
+server
+: The host part of the user's JID, e.g. `example.com` for the JID
+  `stephanie@example.com`.
+
+pass
+: For methods that verify or set a user's password, the password will
+  be supplied in this parameter, otherwise it is not set.
+
+## Methods
+
+The only mandatory methods that the service must implement are `check_password`
+and `user_exists`. Unsupported methods should return a HTTP status code
+of `501 Not Implemented`, but other error codes will also be handled by
+Prosody.
+
+### register
+
+**HTTP method:**
+: POST
+
+**Success codes:**
+: 201
+
+**Error codes:**
+: 409 (user exists)
+
+### check_password
+
+**HTTP method:**
+: GET
+
+**Success codes:**
+: 200
+
+**Response:**
+: A text string of `true` if the user exists, or `false` otherwise.
+
+### user_exists
+
+**HTTP method:**
+: GET
+
+**Success codes:**
+: 200
+
+**Response:**
+: A text string of `true` if the user exists, or `false` otherwise.
+
+### set_password
+
+**HTTP method:**
+: POST
+
+**Success codes:**
+: 200, 201, or 204
+
+### remove_user
+
+**HTTP method:**
+: POST
+
+**Success codes:**
+: 200, 201 or 204
+
+## Examples
+
+With the following configuration:
+
+```
+authentication = "http"
+http_auth_url = "https://auth.example.net/api"
+
+If a user connects and tries to log in to Prosody as "romeo@example.net"
+with the password "iheartjuliet", Prosody would make the following HTTP
+request:
+
+```
+https://auth.example.net/api/check_password?user=romeo&server=example.net&pass=iheartjuliet
+```
+
+# Compatibility
+
+Requires Prosody 0.11.0 or later.
--- a/prosody-modules/mod_auth_http/mod_auth_http.lua
+++ b/prosody-modules/mod_auth_http/mod_auth_http.lua
@ -0,0 +1,122 @@
+-- Prosody IM
+-- Copyright (C) 2008-2013 Matthew Wild
+-- Copyright (C) 2008-2013 Waqas Hussain
+-- Copyright (C) 2014 Kim Alvefur
+--
+-- This project is MIT/X11 licensed. Please see the
+-- COPYING file in the source package for more information.
+--
+
+local new_sasl = require "util.sasl".new;
+local base64 = require "util.encodings".base64.encode;
+local have_async, async = pcall(require, "util.async");
+local http = require "net.http";
+
+if not have_async then
+	error("Your version of Prosody does not support async and is incompatible");
+end
+
+local host = module.host;
+
+local api_base = module:get_option_string("http_auth_url",  ""):gsub("$host", host);
+if api_base == "" then error("http_auth_url required") end
+api_base = api_base:gsub("/$", "");
+
+local auth_creds = module:get_option_string("http_auth_credentials");
+
+local method_types = {
+	-- Unlisted methods default to GET
+	register = "POST";
+	set_password = "POST";
+	remove_user = "POST";
+};
+
+local provider = {};
+
+local function make_request(method_name, params)
+	local wait, done = async.waiter();
+
+	local method_type = method_types[method_name] or "GET";
+
+	params.server = params.server or host;
+	local encoded_params = http.formencode(params);
+
+	local url;
+	local ex = {
+		method = method_type;
+		headers = { Authorization = auth_creds and ("Basic "..base64(auth_creds)) or nil; };
+	}
+	if method_type == "POST" then
+		url = api_base.."/"..method_name;
+		ex.headers["Content-Type"] = "application/x-www-form-urlencoded";
+		ex.body = encoded_params;
+	else
+		url = api_base.."/"..method_name.."?"..encoded_params;
+	end
+
+	local content, code;
+	local function cb(content_, code_)
+		content, code = content_, code_;
+		done();
+	end
+	http.request(url, ex, cb);
+	wait();
+	return code, content;
+end
+
+function provider.test_password(username, password)
+	local code, body = make_request("check_password", { user = username, pass = password });
+	if code == 200 and body == "true" then
+		return true;
+	end
+	return false;
+end
+
+function provider.users()
+	return function()
+		return nil;
+	end
+end
+
+function provider.set_password(username, password)
+	local code = make_request("set_password", { user = username, pass = password });
+	if code == 200 or code == 201 or code == 204 then
+		return true;
+	end
+	return false;
+end
+
+function provider.user_exists(username)
+	local code, body = make_request("user_exists", { user = username });
+	if code == 200 and body == "true" then
+		return true;
+	end
+	return false;
+end
+
+function provider.create_user(username, password)
+	local code = make_request("register", { user = username, pass = password });
+	if code == 201 then
+		return true;
+	end
+	return false;
+end
+
+function provider.delete_user(username)
+	local code = make_request("remove_user", { user = username });
+	if code == 200 or code == 201 or code == 204 then
+		return true;
+	end
+	return false;
+end
+
+function provider.get_sasl_handler()
+	return new_sasl(host, {
+		--luacheck: ignore 212/sasl 212/realm
+		plain_test = function(sasl, username, password, realm)
+			return provider.test_password(username, password), true;
+		end;
+	});
+end
+
+module:provides("auth", provider);
--- a/server/lib/prosody/config.ts
+++ b/server/lib/prosody/config.ts
@ -94,11 +94,14 @@ async function getProsodyConfig (options: RegisterServerOptions): Promise<Prosod
  const peertubeDomain = 'localhost'
  const paths = await getProsodyFilePaths(options)

-  const roomApiUrl = options.peertubeHelpers.config.getWebserverUrl() +
+  const baseApiUrl = options.peertubeHelpers.config.getWebserverUrl() +
    getBaseRouter() +
-    'api/room?jid={room.jid|jid_node}'
+    'api/'
+  const authApiUrl = baseApiUrl + 'user'
+  const roomApiUrl = baseApiUrl + 'room?jid={room.jid|jid_node}'

  const config = new ProsodyConfigContent(paths)
+  config.useHttpAuthentication(authApiUrl)
  config.usePeertubeBosh(peertubeDomain, port)
  config.useMucHttpDefault(roomApiUrl)
  config.setArchive('1w') // Remove archived messages after 1 week
--- a/server/lib/prosody/config/content.ts
+++ b/server/lib/prosody/config/content.ts
@ -99,6 +99,7 @@ type ProsodyLogLevel = 'debug' | 'info'
 class ProsodyConfigContent {
  paths: ProsodyFilePaths
  global: ProsodyConfigGlobal
+  authenticated?: ProsodyConfigVirtualHost
  anon: ProsodyConfigVirtualHost
  muc: ProsodyConfigComponent
  log: string
@ -154,6 +155,15 @@ class ProsodyConfigContent {
    this.muc.set('muc_room_default_history_length', 20)
  }

+  useHttpAuthentication (url: string): void {
+    this.authenticated = new ProsodyConfigVirtualHost('localhost')
+
+    this.authenticated.set('authentication', 'http')
+    this.authenticated.set('modules_enabled', ['ping', 'auth_http'])
+
+    this.authenticated.set('http_auth_url', url)
+  }
+
  usePeertubeBosh (peertubeDomain: string, port: string): void {
    this.global.set('c2s_require_encryption', false)
    this.global.set('interfaces', ['127.0.0.1', '::1'])
@ -176,6 +186,15 @@ class ProsodyConfigContent {
    this.anon.set('http_external_url', 'http://' + peertubeDomain)

    this.muc.set('restrict_room_creation', 'local')
+
+    if (this.authenticated) {
+      this.authenticated.set('trusted_proxies', ['127.0.0.1', '::1'])
+      this.authenticated.set('allow_anonymous_s2s', false)
+      this.authenticated.add('modules_enabled', 'http')
+      this.authenticated.add('modules_enabled', 'bosh')
+      this.authenticated.set('http_host', peertubeDomain)
+      this.authenticated.set('http_external_url', 'http://' + peertubeDomain)
+    }
  }

  useMucHttpDefault (url: string): void {
@ -208,6 +227,10 @@ class ProsodyConfigContent {
    content += this.global.write()
    content += this.log + '\n'
    content += '\n\n'
+    if (this.authenticated) {
+      content += this.authenticated.write()
+      content += '\n\n'
+    }
    content += this.anon.write()
    content += '\n\n'
    content += this.muc.write()
--- a/server/lib/routers/api.ts
+++ b/server/lib/routers/api.ts
@ -44,11 +44,17 @@ async function initApiRouter (options: RegisterServerOptions): Promise<Router> {
      }
      // check settings (chat enabled for this video?)
      const settings = await options.settingsManager.getSettings([
+        'chat-use-prosody',
        'chat-only-locals',
        'chat-all-lives',
        'chat-all-non-lives',
        'chat-videos-list'
      ])
+      if (!settings['chat-use-prosody']) {
+        logger.warn('Prosody chat is not active')
+        res.sendStatus(403)
+        return
+      }
      if (!videoHasWebchat({
        'chat-only-locals': settings['chat-only-locals'] as boolean,
        'chat-all-lives': settings['chat-all-lives'] as boolean,
@ -73,6 +79,82 @@ async function initApiRouter (options: RegisterServerOptions): Promise<Router> {
    }
  ))

+  router.post('/user/register', asyncMiddleware(
+    async (req: Request, res: Response, _next: NextFunction) => {
+      res.sendStatus(501)
+    }
+  ))
+
+  router.get('/user/check_password', asyncMiddleware(
+    async (req: Request, res: Response, _next: NextFunction) => {
+      const settings = await options.settingsManager.getSettings([
+        'chat-use-prosody',
+        'chat-only-locals',
+        'chat-all-lives',
+        'chat-all-non-lives',
+        'chat-videos-list'
+      ])
+      if (!settings['chat-use-prosody']) {
+        logger.warn('Prosody chat is not active')
+        res.status(200).send('false')
+        return
+      }
+      const user = req.query.user
+      const server = req.query.server
+      const pass = req.query.pass
+      if (server !== 'localhost') {
+        logger.warn(`Cannot call check_password on user on server ${server as string}.`)
+        res.status(200).send('false')
+        return
+      }
+      if (user === 'john' && pass === 'password') {
+        res.status(200).send('true')
+        return
+      }
+      res.status(200).send('false')
+    }
+  ))
+
+  router.get('/user/user_exists', asyncMiddleware(
+    async (req: Request, res: Response, _next: NextFunction) => {
+      const settings = await options.settingsManager.getSettings([
+        'chat-use-prosody',
+        'chat-only-locals',
+        'chat-all-lives',
+        'chat-all-non-lives',
+        'chat-videos-list'
+      ])
+      if (!settings['chat-use-prosody']) {
+        logger.warn('Prosody chat is not active')
+        res.status(200).send('false')
+        return
+      }
+      const user = req.query.user
+      const server = req.query.server
+      if (server !== 'localhost') {
+        logger.warn(`Cannot call user_exists on user on server ${server as string}.`)
+        res.status(200).send('false')
+        return
+      }
+      if (user === 'john') {
+        res.status(200).send('true')
+      }
+      res.status(200).send('false')
+    }
+  ))
+
+  router.post('/user/set_password', asyncMiddleware(
+    async (req: Request, res: Response, _next: NextFunction) => {
+      res.sendStatus(501)
+    }
+  ))
+
+  router.post('/user/remove_user', asyncMiddleware(
+    async (req: Request, res: Response, _next: NextFunction) => {
+      res.sendStatus(501)
+    }
+  ))
+
  return router
 }

--- a/server/lib/routers/webchat.ts
+++ b/server/lib/routers/webchat.ts
@ -1,6 +1,7 @@
 import type { Router, RequestHandler, Request, Response, NextFunction } from 'express'
 import type { ProxyOptions } from 'express-http-proxy'
 import { getBaseRouter } from '../helpers'
+import { asyncMiddleware } from '../middlewares/async'
 import * as path from 'path'
 const bodyParser = require('body-parser')

@ -20,8 +21,8 @@ async function initWebchatRouter (options: RegisterServerOptions): Promise<Route

  const router: Router = getRouter()
  // eslint-disable-next-line @typescript-eslint/no-misused-promises
-  router.get('/room/:videoUUID', async (req: Request, res: Response, next: NextFunction): Promise<void> => {
-    try {
+  router.get('/room/:videoUUID', asyncMiddleware(
+    async (req: Request, res: Response, _next: NextFunction): Promise<void> => {
      const settings = await settingsManager.getSettings([
        'chat-use-prosody', 'chat-use-builtin', 'chat-room', 'chat-server',
        'chat-bosh-uri', 'chat-ws-uri'
@ -69,14 +70,13 @@ async function initWebchatRouter (options: RegisterServerOptions): Promise<Route
      page = page.replace(/{{ROOM}}/g, room)
      page = page.replace(/{{BOSH_SERVICE_URL}}/g, boshUri)
      page = page.replace(/{{WS_SERVICE_URL}}/g, wsUri)
+      page = page.replace(/{{TRY_AUTHENTICATED_MODE}}/g, settings['chat-use-prosody'] ? 'true' : 'false')

      res.status(200)
      res.type('html')
      res.send(page)
-    } catch (error) {
-      next(error)
    }
-  })
+  ))

  changeHttpBindRoute(options, null)
  router.all('/http-bind',