Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5267:60e0bc35de33
mod_http_oauth2: Relax payload content type checking in revocation
The code expected
Content-Type: application/x-www-form-urlencoded
HTTPie sent
Content-Type: application/x-www-form-urlencoded; charset=utf-8
It did not work
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 21 Mar 2023 22:29:47 +0100 |
| parents | 5943605201ca |
| children | bac39c6e7203 |
comparison
equal
deleted
inserted
replaced
| 5266:5943605201ca | 5267:60e0bc35de33 |
|---|---|
| 546 return response_handler(client, params, user_jid, id_token); | 546 return response_handler(client, params, user_jid, id_token); |
| 547 end | 547 end |
| 548 | 548 |
| 549 local function handle_revocation_request(event) | 549 local function handle_revocation_request(event) |
| 550 local request, response = event.request, event.response; | 550 local request, response = event.request, event.response; |
| 551 if request.headers.content_type ~= "application/x-www-form-urlencoded" | |
| 552 or not request.body or request.body == "" then | |
| 553 return 400; | |
| 554 end | |
| 555 if request.headers.authorization then | 551 if request.headers.authorization then |
| 556 local credentials = get_request_credentials(request); | 552 local credentials = get_request_credentials(request); |
| 557 if not credentials or credentials.type ~= "basic" then | 553 if not credentials or credentials.type ~= "basic" then |
| 558 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); | 554 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); |
| 559 return 401; | 555 return 401; |
| 562 if not verify_client_secret(credentials.username, credentials.password) then | 558 if not verify_client_secret(credentials.username, credentials.password) then |
| 563 return 401; | 559 return 401; |
| 564 end | 560 end |
| 565 end | 561 end |
| 566 | 562 |
| 567 local form_data = http.formdecode(event.request.body); | 563 local form_data = http.formdecode(event.request.body or ""); |
| 568 if not form_data or not form_data.token then | 564 if not form_data or not form_data.token then |
| 569 return 400; | 565 response.headers.accept = "application/x-www-form-urlencoded"; |
| 566 return 415; | |
| 570 end | 567 end |
| 571 local ok, err = tokens.revoke_token(form_data.token); | 568 local ok, err = tokens.revoke_token(form_data.token); |
| 572 if not ok then | 569 if not ok then |
| 573 module:log("warn", "Unable to revoke token: %s", tostring(err)); | 570 module:log("warn", "Unable to revoke token: %s", tostring(err)); |
| 574 return 500; | 571 return 500; |