Add SASL PLAIN authentication support #261
Conversation
anisse
force-pushed
the
develop
branch
2 times, most recently
from
f8c59f3
to
660d29f
Compare
Add a new config option "sasl", which can be set to "none" or "plain". In none, behavior does not change and will be the same as before, using the password config option with PASS if present. When plain is selected, the new "login" option will be coupled with the existing "password" option to connect to the server with SASL PLAIN mode. The implementation currently does blind SASL login. It does not check if the server supports sasl or sasl plain, and does not verify login errors, etc. It has been successfully tested with irc.libera.chat.
|
So... I ran |
There was a problem hiding this comment.
This is probably a bit out of scope for this PR and a niche edge case, but AUTHENTICATE messages are limited to a payload of 400 base64 characters; so long username + password combinations need to be line-wrapped.
| /// The password to connect to the server. Used with PASS or with SASL authentication | ||
| #[cfg_attr(feature = "serde", serde(skip_serializing_if = "Option::is_none"))] | ||
| pub password: Option<String>, |
There was a problem hiding this comment.
You may want to make it a different configuration option. PASS's intended use is a shared server password, that is required to connect to the server at all; while SASL is to authenticate to a specific user account. That PASS can also be used as an alternative to SASL to authenticate to user account is an implementation-specific behavior of some servers.
There was a problem hiding this comment.
I don't see a practical use to having both used at the same time; the "Modern IRC" document says that SASL is used as alternative to PASS, so I don't think we should see both used in practice. I don't mind adding a second, different option though.
| let sasl_pass = Base64::encode_string( | ||
| &format!( | ||
| "\x00{}\x00{}", | ||
| self.config().login(), | ||
| self.config().password(), | ||
| ) | ||
| .bytes() | ||
| .collect::<Vec<_>>(), | ||
| ); |
There was a problem hiding this comment.
you might want to check the login and password don't contain null bytes
Add a new config option "sasl", which can be set to "none" or "plain". In none, behavior does not change and will be the same as, using the password config option with PASS.
When plain is selected, the new "login" option will be coupled with the existing "password" option to connect to the server with SASL PLAIN mode.
The implementation currently does blind SASL login. It does not check if the server supports sasl, sasl plain, and does not verify login errors, etc.
For simplicity, I chose not to add a state-machine that would handle verifying SASL support, login success, etc. It would need a different, async API for that, and I thought it would be overkill. It has been tested successfully with libera.chat.
This PR adds a new dependency "base64ct", a base64 crate by the RustCrypto project with no dependency (here std is enabled though); if you prefer I can add an ad-hoc licence compatible base64 encode function. I'd prefer not to guard the SASL support behind a feature if possible.
Tests were added and doc has been updated.
Related to #166