Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5242:4746609a6656
mod_http_oauth2: Validate that informative URLs match the redirect URIs
It is a bit shady to have the various URIs (URLs really) point to
different hostnames.
This may be quite stricter than required, but can always be relaxed
later.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 11 Mar 2023 22:31:02 +0100 |
parents | 65892dd1d4ae |
children | d5dc8edb2695 |
comparison
equal
deleted
inserted
replaced
5241:65892dd1d4ae | 5242:4746609a6656 |
---|---|
598 | 598 |
599 if not schema.validate(registration_schema, client_metadata) then | 599 if not schema.validate(registration_schema, client_metadata) then |
600 return oauth_error("invalid_request", "Failed schema validation."); | 600 return oauth_error("invalid_request", "Failed schema validation."); |
601 end | 601 end |
602 | 602 |
603 local redirect_hosts = set.new(); | |
603 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do | 604 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do |
604 local components = url.parse(redirect_uri); | 605 local components = url.parse(redirect_uri); |
605 if not components or not components.scheme then | 606 if not components or not components.scheme then |
606 return oauth_error("invalid_request", "Invalid redirect URI."); | 607 return oauth_error("invalid_request", "Invalid redirect URI."); |
607 elseif components.scheme == "http" and components.host ~= "localhost" then | 608 elseif components.scheme == "http" and components.host ~= "localhost" then |
608 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); | 609 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); |
610 elseif components.scheme == "https" then | |
611 redirect_hosts:add(components.host); | |
612 end | |
613 end | |
614 | |
615 for field, prop_schema in pairs(registration_schema) do | |
616 if prop_schema.format == "uri" and client_metadata[field] then | |
617 local components = url.parse(client_metadata[field]); | |
618 if components.scheme ~= "https" then | |
619 return oauth_error("invalid_request", "Insecure URI forbidden"); | |
620 end | |
621 if not redirect_hosts:contains(components.host) then | |
622 return oauth_error("invalid_request", "Informative URI must match redirect URIs"); | |
623 end | |
609 end | 624 end |
610 end | 625 end |
611 | 626 |
612 -- Ensure each signed client_id JWT is unique | 627 -- Ensure each signed client_id JWT is unique |
613 client_metadata.nonce = uuid.generate(); | 628 client_metadata.nonce = uuid.generate(); |