Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 6278:4f9b42c53d0f
mod_http_oauth2: Check grant type before issuing refresh token
This prevents even issuing a refresh token to a client that has not
registered the corresponding grant type.
The grant type dispatcher also checks before invoking the refresh token
grant type handler.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 03 Jul 2025 15:34:42 +0200 |
| parents | dfc035ecabb4 |
| children | 5dc4ec836ce2 |
comparison
equal
deleted
inserted
replaced
| 6277:dfc035ecabb4 | 6278:4f9b42c53d0f |
|---|---|
| 307 version = client.software_version; | 307 version = client.software_version; |
| 308 hash = client.client_hash; | 308 hash = client.client_hash; |
| 309 }; | 309 }; |
| 310 end | 310 end |
| 311 | 311 |
| 312 local function may_issue_refresh_token(client, scope_string) | |
| 313 return array_contains(client.grant_types, "refresh_token") and array_contains(parse_scopes(scope_string), "offline_access"); | |
| 314 end | |
| 315 | |
| 312 local function new_access_token(token_jid, role, scope_string, client, id_token, refresh_token_info) | 316 local function new_access_token(token_jid, role, scope_string, client, id_token, refresh_token_info) |
| 313 local token_data = { oauth2_scopes = scope_string, oauth2_client = nil }; | 317 local token_data = { oauth2_scopes = scope_string, oauth2_client = nil }; |
| 314 if client then | 318 if client then |
| 315 token_data.oauth2_client = client_subset(client); | 319 token_data.oauth2_client = client_subset(client); |
| 316 end | 320 end |
| 332 return 500; | 336 return 500; |
| 333 end | 337 end |
| 334 end | 338 end |
| 335 -- in with the new refresh token | 339 -- in with the new refresh token |
| 336 local refresh_token; | 340 local refresh_token; |
| 337 if refresh_token_info ~= false and array_contains(parse_scopes(scope_string), "offline_access") then | 341 if refresh_token_info ~= false and may_issue_refresh_token(client, scope_string) then |
| 338 refresh_token = tokens.create_token(token_jid, grant.id, nil, default_refresh_ttl, "oauth2-refresh"); | 342 refresh_token = tokens.create_token(token_jid, grant.id, nil, default_refresh_ttl, "oauth2-refresh"); |
| 339 end | 343 end |
| 340 | 344 |
| 341 if role == "xmpp" then | 345 if role == "xmpp" then |
| 342 -- Special scope meaning the users default role. | 346 -- Special scope meaning the users default role. |
