Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5219:25e824f64fd3
mod_http_oauth2: Improve handling of redirect_uri matching and fallback
Per OAuth 2.1, the client MUST provide a redirect_uri explicitly if it
registered multiple. If it only registered a single URI, it may be omitted
from the authorize request.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 07 Mar 2023 13:19:19 +0000 |
| parents | 1f4b768c831a |
| children | 22483cfce3ce |
comparison
equal
deleted
inserted
replaced
| 5218:1f4b768c831a | 5219:25e824f64fd3 |
|---|---|
| 143 -- TODO: include refresh_token when implemented | 143 -- TODO: include refresh_token when implemented |
| 144 }; | 144 }; |
| 145 end | 145 end |
| 146 | 146 |
| 147 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string | 147 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string |
| 148 if not query_redirect_uri then | |
| 149 if #client.redirect_uris ~= 1 then | |
| 150 -- Client registered multiple URIs, it needs specify which one to use | |
| 151 return; | |
| 152 end | |
| 153 -- When only a single URI is registered, that's the default | |
| 154 return client.redirect_uris[1]; | |
| 155 end | |
| 156 -- Verify the client-provided URI matches one previously registered | |
| 148 for _, redirect_uri in ipairs(client.redirect_uris) do | 157 for _, redirect_uri in ipairs(client.redirect_uris) do |
| 149 if query_redirect_uri == nil or query_redirect_uri == redirect_uri then | 158 if query_redirect_uri == redirect_uri then |
| 150 return redirect_uri | 159 return redirect_uri |
| 151 end | 160 end |
| 152 end | 161 end |
| 153 end | 162 end |
| 154 | 163 |
| 197 title = "Your authorization code"; | 206 title = "Your authorization code"; |
| 198 message = "Here's your authorization code, copy and paste it into " .. (client.client_name or "your client"); | 207 message = "Here's your authorization code, copy and paste it into " .. (client.client_name or "your client"); |
| 199 extra = code; | 208 extra = code; |
| 200 }) or ("Here's your authorization code:\n%s\n"):format(code); | 209 }) or ("Here's your authorization code:\n%s\n"):format(code); |
| 201 return response; | 210 return response; |
| 211 elseif not redirect_uri then | |
| 212 return {status_code = 400}; | |
| 202 end | 213 end |
| 203 | 214 |
| 204 local redirect = url.parse(redirect_uri); | 215 local redirect = url.parse(redirect_uri); |
| 205 | 216 |
| 206 local query = http.formdecode(redirect.query or ""); | 217 local query = http.formdecode(redirect.query or ""); |
