Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5267:60e0bc35de33
mod_http_oauth2: Relax payload content type checking in revocation
The code expected
Content-Type: application/x-www-form-urlencoded
HTTPie sent
Content-Type: application/x-www-form-urlencoded; charset=utf-8
It did not work
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 21 Mar 2023 22:29:47 +0100 |
parents | 5943605201ca |
children | bac39c6e7203 |
comparison
equal
deleted
inserted
replaced
5266:5943605201ca | 5267:60e0bc35de33 |
---|---|
546 return response_handler(client, params, user_jid, id_token); | 546 return response_handler(client, params, user_jid, id_token); |
547 end | 547 end |
548 | 548 |
549 local function handle_revocation_request(event) | 549 local function handle_revocation_request(event) |
550 local request, response = event.request, event.response; | 550 local request, response = event.request, event.response; |
551 if request.headers.content_type ~= "application/x-www-form-urlencoded" | |
552 or not request.body or request.body == "" then | |
553 return 400; | |
554 end | |
555 if request.headers.authorization then | 551 if request.headers.authorization then |
556 local credentials = get_request_credentials(request); | 552 local credentials = get_request_credentials(request); |
557 if not credentials or credentials.type ~= "basic" then | 553 if not credentials or credentials.type ~= "basic" then |
558 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); | 554 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); |
559 return 401; | 555 return 401; |
562 if not verify_client_secret(credentials.username, credentials.password) then | 558 if not verify_client_secret(credentials.username, credentials.password) then |
563 return 401; | 559 return 401; |
564 end | 560 end |
565 end | 561 end |
566 | 562 |
567 local form_data = http.formdecode(event.request.body); | 563 local form_data = http.formdecode(event.request.body or ""); |
568 if not form_data or not form_data.token then | 564 if not form_data or not form_data.token then |
569 return 400; | 565 response.headers.accept = "application/x-www-form-urlencoded"; |
566 return 415; | |
570 end | 567 end |
571 local ok, err = tokens.revoke_token(form_data.token); | 568 local ok, err = tokens.revoke_token(form_data.token); |
572 if not ok then | 569 if not ok then |
573 module:log("warn", "Unable to revoke token: %s", tostring(err)); | 570 module:log("warn", "Unable to revoke token: %s", tostring(err)); |
574 return 500; | 571 return 500; |