local md5 = require "util.hashes".md5;
local config = require "core.configmanager";
+local secure_auth_only = config.get(module:get_host(), "core", "require_encryption");
+
local log = module._log;
local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
local function sasl_handler(session, stanza)
if stanza.name == "auth" then
-- FIXME ignoring duplicates because ejabberd does
- if config.get(session.host or "*", "core", "anonymous_login") and stanza.attr.mechanism ~= "ANONYMOUS" then
- return session.send(build_reply("failure", "invalid-mechanism"));
+ if config.get(session.host or "*", "core", "anonymous_login") then
+ if stanza.attr.mechanism ~= "ANONYMOUS" then
+ return session.send(build_reply("failure", "invalid-mechanism"));
+ end
elseif stanza.attr.mechanism == "ANONYMOUS" then
return session.send(build_reply("failure", "mechanism-too-weak"));
end
module:add_event_hook("stream-features",
function (session, features)
if not session.username then
+ if secure_auth_only and not session.secure then
+ return;
+ end
features:tag("mechanisms", mechanisms_attr);
-- TODO: Provide PLAIN only if TLS is active, this is a SHOULD from the introduction of RFC 4616. This behavior could be overridden via configuration but will issuing a warning or so.
if config.get(session.host or "*", "core", "anonymous_login") then