comparison mod_http_oauth2/mod_http_oauth2.lua @ 5394:434ee49b04de

mod_http_oauth2: Allow loopback IP literals in redirect URIs Previously only exactly "http://localhost" was allowed, but RFC 8252 seems to recommend both ::1 and 127.0.0.1 be allowed.
author Kim Alvefur <zash@zash.se>
date Sun, 30 Apr 2023 17:16:47 +0200
parents 9b9d612f9083
children ac7c5669e5f5
comparison
equal deleted inserted replaced
5393:9b9d612f9083 5394:434ee49b04de
727 } 727 }
728 728
729 local function redirect_uri_allowed(redirect_uri, client_uri, app_type) 729 local function redirect_uri_allowed(redirect_uri, client_uri, app_type)
730 local uri = url.parse(redirect_uri); 730 local uri = url.parse(redirect_uri);
731 if app_type == "native" then 731 if app_type == "native" then
732 return uri.scheme == "http" and uri.host == "localhost" or uri.scheme ~= "https"; 732 return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https";
733 elseif app_type == "web" then 733 elseif app_type == "web" then
734 return uri.scheme == "https" and uri.host == client_uri.host; 734 return uri.scheme == "https" and uri.host == client_uri.host;
735 end 735 end
736 end 736 end
737 737