comparison mod_http_oauth2/mod_http_oauth2.lua @ 5429:0bbeee8ba8b5

mod_http_oauth2: Strip unknown scopes from consent page Since the scope string can be any arbitrary space-separated strings.
author Kim Alvefur <zash@zash.se>
date Sun, 07 May 2023 20:25:18 +0200
parents 07e166b34c4c
children 74fdf4a7cca1
comparison
equal deleted inserted replaced
5428:07e166b34c4c 5429:0bbeee8ba8b5
649 if not auth_state.user then 649 if not auth_state.user then
650 -- Render login page 650 -- Render login page
651 return render_page(templates.login, { state = auth_state, client = client }); 651 return render_page(templates.login, { state = auth_state, client = client });
652 elseif auth_state.consent == nil then 652 elseif auth_state.consent == nil then
653 -- Render consent page 653 -- Render consent page
654 return render_page(templates.consent, { state = auth_state; client = client; scopes = parse_scopes(params.scope or "") }, true); 654 local scopes, roles = split_scopes(parse_scopes(params.scope or ""));
655 return render_page(templates.consent, { state = auth_state; client = client; scopes = scopes+roles }, true);
655 elseif not auth_state.consent then 656 elseif not auth_state.consent then
656 -- Notify client of rejection 657 -- Notify client of rejection
657 return error_response(request, oauth_error("access_denied")); 658 return error_response(request, oauth_error("access_denied"));
658 end 659 end
659 -- else auth_state.consent == true 660 -- else auth_state.consent == true