changeset 6515:ff55e93be449

mod_http_oauth2: Normalize username in password grant Otherwise authentication may fail if provided a non-normalized username Introduced in c1b94dd6e53b
author Kim Alvefur <zash@zash.se>
date Wed, 08 Apr 2026 23:08:39 +0200
parents 668b1f0a4dc6
children 3b69df385f66
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 4 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Wed Apr 08 15:56:38 2026 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Wed Apr 08 23:08:39 2026 +0200
@@ -455,6 +455,10 @@
 		if not request_username then
 			return oauth_error("invalid_request", "missing 'username'");
 		end
+		request_username = encodings.stringprep.nodeprep(request_username);
+		if not request_username then
+			return oauth_error("invalid_request", "invalid 'username'");
+		end
 	end
 
 	local request_password = params.password;