comparison mod_http_oauth2/mod_http_oauth2.lua @ 5267:60e0bc35de33

mod_http_oauth2: Relax payload content type checking in revocation The code expected Content-Type: application/x-www-form-urlencoded HTTPie sent Content-Type: application/x-www-form-urlencoded; charset=utf-8 It did not work
author Kim Alvefur <zash@zash.se>
date Tue, 21 Mar 2023 22:29:47 +0100
parents 5943605201ca
children bac39c6e7203
comparison
equal deleted inserted replaced
5266:5943605201ca 5267:60e0bc35de33
546 return response_handler(client, params, user_jid, id_token); 546 return response_handler(client, params, user_jid, id_token);
547 end 547 end
548 548
549 local function handle_revocation_request(event) 549 local function handle_revocation_request(event)
550 local request, response = event.request, event.response; 550 local request, response = event.request, event.response;
551 if request.headers.content_type ~= "application/x-www-form-urlencoded"
552 or not request.body or request.body == "" then
553 return 400;
554 end
555 if request.headers.authorization then 551 if request.headers.authorization then
556 local credentials = get_request_credentials(request); 552 local credentials = get_request_credentials(request);
557 if not credentials or credentials.type ~= "basic" then 553 if not credentials or credentials.type ~= "basic" then
558 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); 554 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
559 return 401; 555 return 401;
562 if not verify_client_secret(credentials.username, credentials.password) then 558 if not verify_client_secret(credentials.username, credentials.password) then
563 return 401; 559 return 401;
564 end 560 end
565 end 561 end
566 562
567 local form_data = http.formdecode(event.request.body); 563 local form_data = http.formdecode(event.request.body or "");
568 if not form_data or not form_data.token then 564 if not form_data or not form_data.token then
569 return 400; 565 response.headers.accept = "application/x-www-form-urlencoded";
566 return 415;
570 end 567 end
571 local ok, err = tokens.revoke_token(form_data.token); 568 local ok, err = tokens.revoke_token(form_data.token);
572 if not ok then 569 if not ok then
573 module:log("warn", "Unable to revoke token: %s", tostring(err)); 570 module:log("warn", "Unable to revoke token: %s", tostring(err));
574 return 500; 571 return 500;