Support for get_password returning multiple passwords

prefiks · prefiks · commit 8929be60aa0c · 2025-03-26T07:12:07.000+01:00
diff --git a/src/xmpp_sasl_digest.erl b/src/xmpp_sasl_digest.erl
@@ -25,7 +25,8 @@
 -export([parse/1]).
 
 -type get_password_fun() :: fun((binary()) -> {false, any()} |
-                                              {binary(), atom()}).
+                                              {binary(), atom()} |
+                                              {[any()], atom()}).
 -type check_password_fun() :: fun((binary(), binary(), binary(), binary(),
                                    fun((binary()) -> binary())) ->
                                            {boolean(), any()} |
@@ -85,7 +86,14 @@ mech_step(#state{step = 3, nonce = Nonce} = State,
 		AuthzId = proplists:get_value(<<"authzid">>, KeyVals, <<>>),
 		case (State#state.get_password)(UserName) of
 		  {false, _} -> {error, not_authorized, UserName};
-		  {Passwd, AuthModule} ->
+		  {Passwds, AuthModule} ->
+		      Passwd = case Passwds of
+				   Bin when is_binary(Bin) -> Bin;
+				   List -> lists:foldl(
+				       fun(Bin, false) when is_binary(Bin) -> Bin;
+					  (_, Acc) -> Acc
+				       end, false, List)
+			       end,
 		      case (State#state.check_password)(UserName, UserName, <<"">>,
 							proplists:get_value(<<"response">>, KeyVals, <<>>),
 							fun (PW) ->
diff --git a/src/xmpp_sasl_scram.erl b/src/xmpp_sasl_scram.erl
@@ -27,7 +27,7 @@
 -include("scram.hrl").
 
 -type password() :: binary() | #scram{}.
--type get_password_fun() :: fun((binary()) -> {false | {false, atom(), binary()} | password(), module()}).
+-type get_password_fun() :: fun((binary()) -> {false | {false, atom(), binary()} | password() | [password()], module()}).
 
 -record(state,
 	{step = 2                :: 2 | 4,
@@ -124,10 +124,21 @@ mech_step(#state{step = 2, algo = Algo, ssdp = Ssdp} = State, ClientIn) ->
 		      case parse_attribute(ClientNonceAttribute) of
 			{$r, ClientNonce} ->
 			    {Pass, AuthModule} = (State#state.get_password)(UserName),
-			    LPass = if is_binary(Pass) -> jid:resourceprep(Pass);
-				       true -> Pass
+			    Pass2 = case Pass of
+					Bin when is_binary(Bin) -> Bin;
+					List when is_list(List) ->
+					    lists:foldl(
+						fun(#scram{hash = Hash} = S, _) when Algo == Hash ->
+						    S;
+						   (Bin2, false) when is_binary(Bin2) -> Bin2;
+						   (_, Acc) -> Acc
+						end, false, List);
+					Other -> Other
 				    end,
-			    case Pass of
+			    LPass = if is_binary(Pass2) -> jid:resourceprep(Pass2);
+				       true -> Pass2
+				    end,
+			    case Pass2 of
 				{false, Condition, Text} ->
 				  {error, {Condition, Text}, UserName};
 				false ->
@@ -138,7 +149,7 @@ mech_step(#state{step = 2, algo = Algo, ssdp = Ssdp} = State, ClientIn) ->
 				  {error, saslprep_failed, UserName};
 				_ ->
 				  {StoredKey, ServerKey, Salt, IterationCount} =
-				  case Pass of
+				  case Pass2 of
 				      #scram{storedkey = STK, serverkey = SEK, salt = Slt,
 					     iterationcount = IC} ->
 					  {base64:decode(STK),
@@ -148,7 +159,7 @@ mech_step(#state{step = 2, algo = Algo, ssdp = Ssdp} = State, ClientIn) ->
 					  TempSalt =
 					  p1_rand:bytes(?SALT_LENGTH),
 					  SaltedPassword =
-					  scram:salted_password(Algo, Pass,
+					  scram:salted_password(Algo, Pass2,
 								TempSalt,
 								?SCRAM_DEFAULT_ITERATION_COUNT),
 					  {scram:stored_key(Algo, scram:client_key(Algo, SaltedPassword)),
