Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5429:0bbeee8ba8b5
mod_http_oauth2: Strip unknown scopes from consent page
Since the scope string can be any arbitrary space-separated strings.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 07 May 2023 20:25:18 +0200 |
| parents | 07e166b34c4c |
| children | 74fdf4a7cca1 |
comparison
equal
deleted
inserted
replaced
| 5428:07e166b34c4c | 5429:0bbeee8ba8b5 |
|---|---|
| 649 if not auth_state.user then | 649 if not auth_state.user then |
| 650 -- Render login page | 650 -- Render login page |
| 651 return render_page(templates.login, { state = auth_state, client = client }); | 651 return render_page(templates.login, { state = auth_state, client = client }); |
| 652 elseif auth_state.consent == nil then | 652 elseif auth_state.consent == nil then |
| 653 -- Render consent page | 653 -- Render consent page |
| 654 return render_page(templates.consent, { state = auth_state; client = client; scopes = parse_scopes(params.scope or "") }, true); | 654 local scopes, roles = split_scopes(parse_scopes(params.scope or "")); |
| 655 return render_page(templates.consent, { state = auth_state; client = client; scopes = scopes+roles }, true); | |
| 655 elseif not auth_state.consent then | 656 elseif not auth_state.consent then |
| 656 -- Notify client of rejection | 657 -- Notify client of rejection |
| 657 return error_response(request, oauth_error("access_denied")); | 658 return error_response(request, oauth_error("access_denied")); |
| 658 end | 659 end |
| 659 -- else auth_state.consent == true | 660 -- else auth_state.consent == true |