Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5509:ae007be8a6bd
mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749
These are mostly for the various Client-facing endpoints, so the chance
of browsers being involved is slightly lower than with the User-facing
authorization endpoint, which already sent the Cache-Control header.
Thanks to OAuch for pointing out.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 02 Jun 2023 08:59:59 +0200 |
| parents | fd4d89a5b8db |
| children | a49d73e4262e |
comparison
equal
deleted
inserted
replaced
| 5508:56803acfa638 | 5509:ae007be8a6bd |
|---|---|
| 64 ["Content-Type"] = "text/html; charset=utf-8"; | 64 ["Content-Type"] = "text/html; charset=utf-8"; |
| 65 ["Content-Security-Policy"] = "default-src 'self'"; | 65 ["Content-Security-Policy"] = "default-src 'self'"; |
| 66 ["Referrer-Policy"] = "no-referrer"; | 66 ["Referrer-Policy"] = "no-referrer"; |
| 67 ["X-Frame-Options"] = "DENY"; | 67 ["X-Frame-Options"] = "DENY"; |
| 68 ["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private"; | 68 ["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private"; |
| 69 ["Pragma"] = "no-cache"; | |
| 69 }; | 70 }; |
| 70 body = _render_html(template, data); | 71 body = _render_html(template, data); |
| 71 }; | 72 }; |
| 72 return resp; | 73 return resp; |
| 73 end | 74 end |
| 358 redirect.query = http.formencode(query); | 359 redirect.query = http.formencode(query); |
| 359 | 360 |
| 360 return { | 361 return { |
| 361 status_code = 303; | 362 status_code = 303; |
| 362 headers = { | 363 headers = { |
| 364 cache_control = "no-store"; | |
| 365 pragma = "no-cache"; | |
| 363 location = url.build(redirect); | 366 location = url.build(redirect); |
| 364 }; | 367 }; |
| 365 } | 368 } |
| 366 end | 369 end |
| 367 | 370 |
| 380 redirect.fragment = http.formencode(token_info); | 383 redirect.fragment = http.formencode(token_info); |
| 381 | 384 |
| 382 return { | 385 return { |
| 383 status_code = 303; | 386 status_code = 303; |
| 384 headers = { | 387 headers = { |
| 388 cache_control = "no-store"; | |
| 389 pragma = "no-cache"; | |
| 385 location = url.build(redirect); | 390 location = url.build(redirect); |
| 386 }; | 391 }; |
| 387 } | 392 } |
| 388 end | 393 end |
| 389 | 394 |
| 618 .. "&" .. http.formencode({ state = q.state, iss = get_issuer() }); | 623 .. "&" .. http.formencode({ state = q.state, iss = get_issuer() }); |
| 619 module:log("warn", "Sending error response to client via redirect to %s", redirect_uri); | 624 module:log("warn", "Sending error response to client via redirect to %s", redirect_uri); |
| 620 return { | 625 return { |
| 621 status_code = 303; | 626 status_code = 303; |
| 622 headers = { | 627 headers = { |
| 628 cache_control = "no-store"; | |
| 629 pragma = "no-cache"; | |
| 623 location = redirect_uri; | 630 location = redirect_uri; |
| 624 }; | 631 }; |
| 625 }; | 632 }; |
| 626 end | 633 end |
| 627 | 634 |
| 658 | 665 |
| 659 function handle_token_grant(event) | 666 function handle_token_grant(event) |
| 660 local credentials = get_request_credentials(event.request); | 667 local credentials = get_request_credentials(event.request); |
| 661 | 668 |
| 662 event.response.headers.content_type = "application/json"; | 669 event.response.headers.content_type = "application/json"; |
| 670 event.response.headers.cache_control = "no-store"; | |
| 671 event.response.headers.pragma = "no-cache"; | |
| 663 local params = http.formdecode(event.request.body); | 672 local params = http.formdecode(event.request.body); |
| 664 if not params then | 673 if not params then |
| 665 return oauth_error("invalid_request"); | 674 return oauth_error("invalid_request"); |
| 666 end | 675 end |
| 667 | 676 |
| 772 return ret; | 781 return ret; |
| 773 end | 782 end |
| 774 | 783 |
| 775 local function handle_revocation_request(event) | 784 local function handle_revocation_request(event) |
| 776 local request, response = event.request, event.response; | 785 local request, response = event.request, event.response; |
| 786 response.headers.cache_control = "no-store"; | |
| 787 response.headers.pragma = "no-cache"; | |
| 777 if request.headers.authorization then | 788 if request.headers.authorization then |
| 778 local credentials = get_request_credentials(request); | 789 local credentials = get_request_credentials(request); |
| 779 if not credentials or credentials.type ~= "basic" then | 790 if not credentials or credentials.type ~= "basic" then |
| 780 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); | 791 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); |
| 781 return 401; | 792 return 401; |
| 964 local response, err = create_client(client_metadata); | 975 local response, err = create_client(client_metadata); |
| 965 if err then return err end | 976 if err then return err end |
| 966 | 977 |
| 967 return { | 978 return { |
| 968 status_code = 201; | 979 status_code = 201; |
| 969 headers = { content_type = "application/json" }; | 980 headers = { |
| 981 cache_control = "no-store"; | |
| 982 pragma = "no-cache"; | |
| 983 content_type = "application/json"; | |
| 984 }; | |
| 970 body = json.encode(response); | 985 body = json.encode(response); |
| 971 }; | 986 }; |
| 972 end | 987 end |
| 973 | 988 |
| 974 if not registration_key then | 989 if not registration_key then |
