add sha356 module

com/Auth/DeleteUnit.lua

@@ -6,6 +6,7 @@ local log = require("internal.log")
 local session = require("internal.session")
 local crypt = require("internal.crypt.bcrypt")
 local jwt = require("internal.crypt.jwt")
+local sha256 = require("internal.crypt.sha256")
 
 local params = session.request.params.get()
 local token = session.request.headers.get("authorization")
@@ -50,6 +51,10 @@ if data.session_uuid ~= session.id then
   return error_response("Access denied")
 end
 
+if data.key ~= sha256.sum(session.request.address .. session.id .. session.request.headers.get("user-agent", "noagent")) then
+  return error_response("Access denied")
+end
+
 if not params then
   return error_response("no params provided")
 end

com/Auth/GetAccess.lua

@@ -6,6 +6,7 @@ local log = require("internal.log")
 local session = require("internal.session")
 local crypt = require("internal.crypt.bcrypt")
 local jwt = require("internal.crypt.jwt")
+local sha256 = require("internal.crypt.sha256")
 
 local params = session.request.params.get()
 local secret = require("_config").token()
@@ -61,7 +62,10 @@ end
 
 local token = jwt.encode({
   secret = secret,
-  payload = { session_uuid = session.id, admin_user = params.username },
+  payload = { session_uuid = session.id,
+    admin_user = params.username,
+    key = sha256.sum(session.request.address .. session.id .. session.request.headers.get("user-agent", "noagent"))
+  },
   expires_in = 3600
 })
 

com/Auth/PutNewUnit.lua

@@ -6,6 +6,7 @@ local log = require("internal.log")
 local session = require("internal.session")
 local crypt = require("internal.crypt.bcrypt")
 local jwt = require("internal.crypt.jwt")
+local sha256 = require("internal.crypt.sha256")
 
 local params = session.request.params.get()
 local token = session.request.headers.get("authorization")
@@ -50,6 +51,10 @@ if data.session_uuid ~= session.id then
   return error_response("Access denied")
 end
 
+if data.key ~= sha256.sum(session.request.address .. session.id .. session.request.headers.get("user-agent", "noagent")) then
+  return error_response("Access denied")
+end
+
 if not params then
   return error_response("no params provided")
 end

internal/server/sv1/jwt.go

@@ -38,6 +38,7 @@ func jwtEncode(L *lua.LState) int {
 	payload.ForEach(func(key, value lua.LValue) {
 		claims[key.String()] = ConvertLuaTypesToGolang(value)
 	})
+	claims["iat"] = time.Now().Unix()
 	claims["exp"] = time.Now().Add(expDuration).Unix()
 
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)

internal/server/sv1/lua_handler.go

@@ -3,6 +3,8 @@ package sv1
 // TODO: make a lua state pool using sync.Pool
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"io"
 	"log/slog"
@@ -409,11 +411,37 @@ func (h *HandlerV1) handleLUA(sid string, r *http.Request, req *rpc.RPCRequest,
 		return 1
 	}
 
+	loadCryptbsha256Mod := func(L *lua.LState) int {
+		llog.Debug("import module crypt.sha256", slog.String("script", path))
+		sha265mod := L.NewTable()
+
+		L.SetField(sha265mod, "sum", L.NewFunction(func(l *lua.LState) int {
+			data := ConvertLuaTypesToGolang(L.Get(1))
+			dataStr, ok := data.(string)
+			if !ok {
+				L.Push(lua.LNil)
+				L.Push(lua.LString("error: data must be a string"))
+				return 2
+			}
+
+			hash := sha256.Sum256([]byte(dataStr))
+
+			L.Push(lua.LString(hex.EncodeToString(hash[:])))
+			L.Push(lua.LNil)
+			return 2
+		}))
+
+		L.SetField(sha265mod, "__gosally_internal", lua.LString(fmt.Sprint(seed)))
+		L.Push(sha265mod)
+		return 1
+	}
+
 	L.PreloadModule("internal.session", loadSessionMod)
 	L.PreloadModule("internal.log", loadLogMod)
 	L.PreloadModule("internal.net", loadNetMod)
 	L.PreloadModule("internal.database.sqlite", loadDBMod(llog, fmt.Sprint(seed)))
 	L.PreloadModule("internal.crypt.bcrypt", loadCryptbcryptMod)
+	L.PreloadModule("internal.crypt.sha256", loadCryptbsha256Mod)
 	L.PreloadModule("internal.crypt.jwt", loadJWTMod(llog, fmt.Sprint(seed)))
 
 	llog.Debug("preparing environment")