Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5242:4746609a6656
mod_http_oauth2: Validate that informative URLs match the redirect URIs
It is a bit shady to have the various URIs (URLs really) point to
different hostnames.
This may be quite stricter than required, but can always be relaxed
later.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 11 Mar 2023 22:31:02 +0100 |
| parents | 65892dd1d4ae |
| children | d5dc8edb2695 |
comparison
equal
deleted
inserted
replaced
| 5241:65892dd1d4ae | 5242:4746609a6656 |
|---|---|
| 598 | 598 |
| 599 if not schema.validate(registration_schema, client_metadata) then | 599 if not schema.validate(registration_schema, client_metadata) then |
| 600 return oauth_error("invalid_request", "Failed schema validation."); | 600 return oauth_error("invalid_request", "Failed schema validation."); |
| 601 end | 601 end |
| 602 | 602 |
| 603 local redirect_hosts = set.new(); | |
| 603 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do | 604 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do |
| 604 local components = url.parse(redirect_uri); | 605 local components = url.parse(redirect_uri); |
| 605 if not components or not components.scheme then | 606 if not components or not components.scheme then |
| 606 return oauth_error("invalid_request", "Invalid redirect URI."); | 607 return oauth_error("invalid_request", "Invalid redirect URI."); |
| 607 elseif components.scheme == "http" and components.host ~= "localhost" then | 608 elseif components.scheme == "http" and components.host ~= "localhost" then |
| 608 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); | 609 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); |
| 610 elseif components.scheme == "https" then | |
| 611 redirect_hosts:add(components.host); | |
| 612 end | |
| 613 end | |
| 614 | |
| 615 for field, prop_schema in pairs(registration_schema) do | |
| 616 if prop_schema.format == "uri" and client_metadata[field] then | |
| 617 local components = url.parse(client_metadata[field]); | |
| 618 if components.scheme ~= "https" then | |
| 619 return oauth_error("invalid_request", "Insecure URI forbidden"); | |
| 620 end | |
| 621 if not redirect_hosts:contains(components.host) then | |
| 622 return oauth_error("invalid_request", "Informative URI must match redirect URIs"); | |
| 623 end | |
| 609 end | 624 end |
| 610 end | 625 end |
| 611 | 626 |
| 612 -- Ensure each signed client_id JWT is unique | 627 -- Ensure each signed client_id JWT is unique |
| 613 client_metadata.nonce = uuid.generate(); | 628 client_metadata.nonce = uuid.generate(); |