comparison mod_http_oauth2/mod_http_oauth2.lua @ 5241:65892dd1d4ae

mod_http_oauth2: Reject insecure redirect URIs Is this enough, or are they going to be using ftp:// and gopher://?
author Kim Alvefur <zash@zash.se>
date Sat, 11 Mar 2023 22:25:50 +0100
parents 001908044d0d
children 4746609a6656
comparison
equal deleted inserted replaced
5240:001908044d0d 5241:65892dd1d4ae
602 602
603 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do 603 for _, redirect_uri in ipairs(client_metadata.redirect_uris) do
604 local components = url.parse(redirect_uri); 604 local components = url.parse(redirect_uri);
605 if not components or not components.scheme then 605 if not components or not components.scheme then
606 return oauth_error("invalid_request", "Invalid redirect URI."); 606 return oauth_error("invalid_request", "Invalid redirect URI.");
607 elseif components.scheme == "http" and components.host ~= "localhost" then
608 return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)");
607 end 609 end
608 end 610 end
609 611
610 -- Ensure each signed client_id JWT is unique 612 -- Ensure each signed client_id JWT is unique
611 client_metadata.nonce = uuid.generate(); 613 client_metadata.nonce = uuid.generate();