Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5394:434ee49b04de
mod_http_oauth2: Allow loopback IP literals in redirect URIs
Previously only exactly "http://localhost" was allowed, but RFC 8252
seems to recommend both ::1 and 127.0.0.1 be allowed.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 30 Apr 2023 17:16:47 +0200 |
| parents | 9b9d612f9083 |
| children | ac7c5669e5f5 |
comparison
equal
deleted
inserted
replaced
| 5393:9b9d612f9083 | 5394:434ee49b04de |
|---|---|
| 727 } | 727 } |
| 728 | 728 |
| 729 local function redirect_uri_allowed(redirect_uri, client_uri, app_type) | 729 local function redirect_uri_allowed(redirect_uri, client_uri, app_type) |
| 730 local uri = url.parse(redirect_uri); | 730 local uri = url.parse(redirect_uri); |
| 731 if app_type == "native" then | 731 if app_type == "native" then |
| 732 return uri.scheme == "http" and uri.host == "localhost" or uri.scheme ~= "https"; | 732 return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https"; |
| 733 elseif app_type == "web" then | 733 elseif app_type == "web" then |
| 734 return uri.scheme == "https" and uri.host == client_uri.host; | 734 return uri.scheme == "https" and uri.host == client_uri.host; |
| 735 end | 735 end |
| 736 end | 736 end |
| 737 | 737 |