Meet the Extensible Messaging and Presence Protocol (XMPP)

Potential issues identified

While doing the implementation we identified potential issues



  • allows users from only one domain - our solution were to create an account with the sub in our domain
  • how to handle auth with jwt - extend default auth with an plugin












How to we handle JWT Authentication ?

Lets say it is this time. So how can we search this array?



we have extended mod_auth_internal_hashed



function provider.test_password(username, password)
    log("info", "test password for user '%s'", username);
    local credentials = accounts:get(username) or {};
    if not password then
        return nil, "Password fails SASLprep.";
    end

    if string.match(password, "jwt") then
        log("info", "ignore default auth and use jwt validation")
        local pubkey = read_file("/tmp/key.pub")
        local token_parts = split(password, ":")
        local token = token_parts[2]

        local decoded, err = jwt.verify(token, "RS256", pubkey)

        if err ~= nil then
            log("error", err)
            return nil, err;
        end

        local sub = decoded['sub']

        log("debug", "sub id found  %s", sub)

        if username == sub then
            return true;
        else
            return nil, "Invalid token for current user-id"
        end
    end

    password = saslprep(password);

    if credentials.password ~= nil and string.len(credentials.password) ~= 0 then
        if not secure_equals(saslprep(credentials.password), password) then
            return nil, "Auth failed. Provided password is incorrect.";
        end

        if provider.set_password(username, credentials.password) == nil then
            return nil, "Auth failed. Could not set hashed password from plaintext.";
        else
            return true;
        end
    end

    if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then
        return nil, "Auth failed. Stored salt and iteration count information is not complete.";
    end

    local valid, stored_key, server_key = get_auth_db(password, credentials.salt, credentials.iteration_count);

    local stored_key_hex = to_hex(stored_key);
    local server_key_hex = to_hex(server_key);

    if valid and secure_equals(stored_key_hex, credentials.stored_key) and secure_equals(server_key_hex, credentials.server_key) then
        return true;
    else
        return nil, "Auth failed. Invalid username, password, or password hash information.";
    end
end














Questions?