Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5549:01a0b67a9afd
mod_http_oauth2: Add TODO about disabling password grant
Per recommendation in draft-ietf-oauth-security-topics-23 it should at
the very least be disabled by default.
However since this is used by the Snikket web portal some care needs to
be taken not to break this, unless it's already broken by other changes
to this module.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 16 Jun 2023 00:06:53 +0200 |
| parents | fd3c12c40cd9 |
| children | 4fda06be6b08 |
comparison
equal
deleted
inserted
replaced
| 5548:fd3c12c40cd9 | 5549:01a0b67a9afd |
|---|---|
| 678 location = redirect_uri; | 678 location = redirect_uri; |
| 679 }; | 679 }; |
| 680 }; | 680 }; |
| 681 end | 681 end |
| 682 | 682 |
| 683 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {"authorization_code", "password", "refresh_token"}) | 683 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", { |
| 684 "authorization_code"; | |
| 685 "password"; -- TODO Disable. The resource owner password credentials grant [RFC6749] MUST NOT be used. | |
| 686 "refresh_token"; | |
| 687 }) | |
| 684 for handler_type in pairs(grant_type_handlers) do | 688 for handler_type in pairs(grant_type_handlers) do |
| 685 if not allowed_grant_type_handlers:contains(handler_type) then | 689 if not allowed_grant_type_handlers:contains(handler_type) then |
| 686 module:log("debug", "Grant type %q disabled", handler_type); | 690 module:log("debug", "Grant type %q disabled", handler_type); |
| 687 grant_type_handlers[handler_type] = nil; | 691 grant_type_handlers[handler_type] = nil; |
| 688 else | 692 else |