prosody-modules: mod_http_oauth2/mod_http

comparison mod_http_oauth2/mod_http_oauth2.lua @ 5219:25e824f64fd3

mod_http_oauth2: Improve handling of redirect_uri matching and fallback Per OAuth 2.1, the client MUST provide a redirect_uri explicitly if it registered multiple. If it only registered a single URI, it may be omitted from the authorize request.

author	Matthew Wild <mwild1@gmail.com>
date	Tue, 07 Mar 2023 13:19:19 +0000
parents	1f4b768c831a
children	22483cfce3ce

comparison

equal deleted inserted replaced

-:1f4b768c831a
+:25e824f64fd3
 		-- TODO: include refresh_token when implemented
 	};
 end
 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string
+	if not query_redirect_uri then
+		if #client.redirect_uris ~= 1 then
+			-- Client registered multiple URIs, it needs specify which one to use
+			return;
+		end
+		-- When only a single URI is registered, that's the default
+		return client.redirect_uris[1];
+	end
+	-- Verify the client-provided URI matches one previously registered
 	for _, redirect_uri in ipairs(client.redirect_uris) do
-		if query_redirect_uri == nil or query_redirect_uri == redirect_uri then
+		if query_redirect_uri == redirect_uri then
 			return redirect_uri
 		end
 	end
 end
 			title = "Your authorization code";
 			message = "Here's your authorization code, copy and paste it into " .. (client.client_name or "your client");
 			extra = code;
 		}) or ("Here's your authorization code:\n%s\n"):format(code);
 		return response;
+	elseif not redirect_uri then
+		return {status_code = 400};
 	end
 	local redirect = url.parse(redirect_uri);
 	local query = http.formdecode(redirect.query or "");

Mercurial > prosody-modules

comparison mod_http_oauth2/mod_http_oauth2.lua @ 5219:25e824f64fd3