auth/lua: Remove auth_request#response_from_template()

data/updates.js

@@ -18,6 +18,7 @@ export const updates = {
 	crypt_des_md5_schemes: '2.4.0',
 	auth_client_common_secured: '2.4.0',
 	auth_imap_arg_configuration_removed: '2.4.0',
+	auth_lua_string_response_removed: '2.4.1',
 	auth_nss: '2.3.0',
 	auth_oauth2_no_passdb_changed: '2.4.0',
 	auth_policy_fail_type: '2.4.0',

docs/core/config/auth/databases/lua.md

@@ -111,6 +111,10 @@ Logs warning message.
 
 ##### `auth_request#response_from_template(template)`
 
+[[removed,auth_lua_string_response_removed]] This was a bit unsafe
+function. Return the table instead with the necessary
+`auth_request#var_expand()` calls.
+
 Takes in `key=value` template and expands it using `var_expand()` and produces
 table suitable for passdb result.
 
@@ -204,7 +208,7 @@ passdb lua {
 If `auth_password_verify` is found, it's always used.
 
 By default, dovecot runs Lua scripts in auth-worker processes. If you do not
-want this, you can disable blocking, and Lua script will be run in auth
+want this, you can disable using worker, and Lua script will be run in auth
 process. This can degrade performance if your script is slow or makes external
 lookups.
 
@@ -216,33 +220,38 @@ Lua passdb supports two modes of function:
 
 Function signature is `auth_passdb_lookup(request)`.
 
-Function must return a tuple, which contains a return code, and also
-additionally a string or table.
+Function must return a tuple, which contains:
+ * `dovecot.auth.PASSDB_RESULT_OK` and extra fields table
+ * `dovecot.auth.PASSDB_RESULT_*` error and error string
 
-Table must be in key-value format, as it will be imported into auth request.
+The extra fields table must be in key-value format, as it will be imported into
+auth request.
 
-The string must be in `key=value` format, except if return code indicates
-internal error, the second parameter can be used as error string.
+[[removed,auth_lua_string_response_removed]] String can no longer be returned
+for `PASSDB_RESULT_OK`.
 
 #### Password Verification Database
 
 Function signature is `auth_password_verify(request, password)`.
 
-Function must return a tuple, which contains a return code, and also
-additionally a string or table.
+Function must return a tuple, which contains:
+ * `dovecot.auth.PASSDB_RESULT_OK` and extra fields table
+ * `dovecot.auth.PASSDB_RESULT_*` error and error string
 
-Table must be in key-value format, as it will be imported into auth request.
+The extra fields table must be in key-value format, as it will be imported into
+auth request.
 
-The string must be in `key=value` format, except if return code indicates
-internal error, the second parameter can be used as error string.
+[[removed,auth_lua_string_response_removed]] String can no longer be returned
+for `PASSDB_RESULT_OK`.
 
 ## userdb
 
 To configure userdb in dovecot, use:
 
 ```[dovecot.conf]
 userdb lua {
-  args = file=/path/to/lua blocking=yes # default is yes
+  lua_file = /path/to/lua
+  use_worker = yes # default is yes
 }
 ```
 
@@ -254,13 +263,15 @@ Lua userdb supports both single user lookup and iteration.
 
 Function signature is `auth_userdb_lookup(request)`.
 
-The function must return a tuple, which contains a return code, and also
-additionally a string or table.
+Function must return a tuple, which contains:
+ * `dovecot.auth.USERDB_RESULT_OK` and extra fields table
+ * `dovecot.auth.USERDB_RESULT_*` error and error string
 
-Table must be in key-value format, as it will be imported into auth request.
+The extra fields table must be in key-value format, as it will be imported into
+auth request.
 
-The string must be in key=value format, except if return code indicates
-internal error, the second parameter can be used as error string.
+[[removed,auth_lua_string_response_removed]] String can no longer be returned
+for `USERDB_RESULT_OK`.
 
 #### User Iteration
 
@@ -277,14 +288,14 @@ The iteration will hold the whole user database in memory during iteration.
 ```lua:line-numbers
 function auth_passdb_lookup(req)
   if req.user == "testuser1" then
-    return dovecot.auth.PASSDB_RESULT_OK, "password=pass"
+    return dovecot.auth.PASSDB_RESULT_OK, { password = "pass" }
   end
   return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
 end
 
 function auth_userdb_lookup(req)
   if req.user == "testuser1" then
-    return dovecot.auth.USERDB_RESULT_OK, "uid=vmail gid=vmail"
+    return dovecot.auth.USERDB_RESULT_OK, { uid = "vmail", gid = "vmail" }
   end
   return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "no such user"
 end
@@ -319,12 +330,12 @@ function auth_passdb_lookup(req)
     for user, pass in string.gmatch(line, "(%w+)%s(.+)") do
       if (user == req.username) then
         -- you can add additional information here, like userdb_uid
-        return dovecot.auth.PASSDB_RESULT_OK, "password=" .. pass
+        return dovecot.auth.PASSDB_RESULT_OK, { password = pass }
       end
     end
   end
 
-  return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
+  return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN
 end
 ```
 
@@ -349,18 +360,18 @@ function auth_passdb_lookup(req)
   res = db_lookup(req.username)
   if res.result == 0 then
     -- you can add additional information here for passdb
-    return dovecot.auth.PASSDB_RESULT_OK, "password=" .. res.password
+    return dovecot.auth.PASSDB_RESULT_OK, { password = res.password }
   end
-  return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, ""
+  return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN
 end
 
 function auth_userdb_lookup(req)
   res = db_lookup(req.username)
   if res.result == 0 then
     -- you can add additional information here for userdb, like uid or home
-    return dovecot.auth.USERDB_RESULT_OK, "uid=vmail gid=vmail"
+    return dovecot.auth.USERDB_RESULT_OK, { uid = "vmail, gid = "vmail" }
   end
-  return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, ""
+  return dovecot.auth.USERDB_RESULT_USER_UNKNOWN
 end
 
 function auth_userdb_iterate()