Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5187:6a3c1febd7be
mod_http_oauth2: Add settings for allowed grant and response types
So that you can opt-in to the insecure methods...
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 02 Mar 2023 23:57:29 +0100 |
| parents | fa3059e653fa |
| children | 7c531137a553 |
comparison
equal
deleted
inserted
replaced
| 5186:fa3059e653fa | 5187:6a3c1febd7be |
|---|---|
| 251 response_type_handlers.token = nil; | 251 response_type_handlers.token = nil; |
| 252 grant_type_handlers.authorization_code = nil; | 252 grant_type_handlers.authorization_code = nil; |
| 253 check_credentials = function () return false end | 253 check_credentials = function () return false end |
| 254 end | 254 end |
| 255 | 255 |
| 256 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {"authorization_code", "password"}) | |
| 257 for handler_type in pairs(grant_type_handlers) do | |
| 258 if not allowed_grant_type_handlers:contains(handler_type) then | |
| 259 grant_type_handlers[handler_type] = nil; | |
| 260 end | |
| 261 end | |
| 262 | |
| 263 -- "token" aka implicit flow is considered insecure | |
| 264 local allowed_response_type_handlers = module:get_option_set("allowed_oauth2_response_types", {"code"}) | |
| 265 for handler_type in pairs(allowed_response_type_handlers) do | |
| 266 if not allowed_grant_type_handlers:contains(handler_type) then | |
| 267 grant_type_handlers[handler_type] = nil; | |
| 268 end | |
| 269 end | |
| 270 | |
| 256 function handle_token_grant(event) | 271 function handle_token_grant(event) |
| 257 event.response.headers.content_type = "application/json"; | 272 event.response.headers.content_type = "application/json"; |
| 258 local params = http.formdecode(event.request.body); | 273 local params = http.formdecode(event.request.body); |
| 259 if not params then | 274 if not params then |
| 260 return oauth_error("invalid_request"); | 275 return oauth_error("invalid_request"); |