Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5446:dd7bddc87f98
mod_http_oauth2: Fix inclusion of role in refreshed access tokens
`refresh_token_info` does not carry the role, and due to behavior prior
to prosody trunk rev a1ba503610ed it would have reverted to the users'
default role. After that it instead issues a token without role which is
thus not usable with e.g. mod_rest
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 11 May 2023 21:37:35 +0200 |
| parents | 74fdf4a7cca1 |
| children | aa4828f040c5 |
comparison
equal
deleted
inserted
replaced
| 5445:74fdf4a7cca1 | 5446:dd7bddc87f98 |
|---|---|
| 408 local refresh_token_info = tokens.get_token_info(params.refresh_token); | 408 local refresh_token_info = tokens.get_token_info(params.refresh_token); |
| 409 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then | 409 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then |
| 410 return oauth_error("invalid_grant", "invalid refresh token"); | 410 return oauth_error("invalid_grant", "invalid refresh token"); |
| 411 end | 411 end |
| 412 | 412 |
| 413 local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes; | |
| 414 local new_scopes, role = filter_scopes(username, refresh_scopes); | |
| 415 | |
| 413 -- new_access_token() requires the actual token | 416 -- new_access_token() requires the actual token |
| 414 refresh_token_info.token = params.refresh_token; | 417 refresh_token_info.token = params.refresh_token; |
| 415 | 418 |
| 416 return json.encode(new_access_token( | 419 return json.encode(new_access_token( |
| 417 refresh_token_info.jid, refresh_token_info.role, refresh_token_info.grant.data.oauth2_scopes, client, nil, refresh_token_info | 420 refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info |
| 418 )); | 421 )); |
| 419 end | 422 end |
| 420 | 423 |
| 421 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients | 424 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients |
| 422 | 425 |
