comparison mod_http_oauth2/mod_http_oauth2.lua @ 6241:b460b2a65f0b

mod_http_oauth2: Remove now redundant client_id check from remaining grant handlers Missed these in 2505542c6c50
author Kim Alvefur <zash@zash.se>
date Tue, 03 Jun 2025 01:11:37 +0200
parents 7b3316ac24b3
children ef81c67e1ae7
comparison
equal deleted inserted replaced
6240:f96923cd35f6 6241:b460b2a65f0b
550 end 550 end
551 551
552 return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, client, code.id_token)); 552 return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, client, code.id_token));
553 end 553 end
554 554
555 function grant_type_handlers.refresh_token(params) 555 function grant_type_handlers.refresh_token(params, client)
556 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
557 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
558 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end 556 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end
559
560 local client = check_client(params.client_id);
561 if not client then
562 return oauth_error("invalid_client", "incorrect credentials");
563 end
564
565 if not verify_client_secret(params.client_id, params.client_secret) then
566 module:log("debug", "client_secret mismatch");
567 return oauth_error("invalid_client", "incorrect credentials");
568 end
569 557
570 local refresh_token_info = tokens.get_token_info(params.refresh_token); 558 local refresh_token_info = tokens.get_token_info(params.refresh_token);
571 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then 559 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then
572 return oauth_error("invalid_grant", "invalid refresh token"); 560 return oauth_error("invalid_grant", "invalid refresh token");
573 end 561 end
596 refresh_token_info.token = params.refresh_token; 584 refresh_token_info.token = params.refresh_token;
597 585
598 return json.encode(new_access_token(refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info)); 586 return json.encode(new_access_token(refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info));
599 end 587 end
600 588
601 grant_type_handlers[device_uri] = function(params) 589 grant_type_handlers[device_uri] = function(params, client)
602 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
603 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
604 if not params.device_code then return oauth_error("invalid_request", "missing 'device_code'"); end 590 if not params.device_code then return oauth_error("invalid_request", "missing 'device_code'"); end
605
606 local client = check_client(params.client_id);
607 if not client then
608 return oauth_error("invalid_client", "incorrect credentials");
609 end
610
611 if not verify_client_secret(params.client_id, params.client_secret) then
612 module:log("debug", "client_secret mismatch");
613 return oauth_error("invalid_client", "incorrect credentials");
614 end
615 591
616 local code = codes:get("device_code:" .. params.client_id .. "#" .. params.device_code); 592 local code = codes:get("device_code:" .. params.client_id .. "#" .. params.device_code);
617 if type(code) ~= "table" or code_expired(code) then 593 if type(code) ~= "table" or code_expired(code) then
618 return oauth_error("expired_token"); 594 return oauth_error("expired_token");
619 elseif code.error then 595 elseif code.error then