Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5187:6a3c1febd7be
mod_http_oauth2: Add settings for allowed grant and response types
So that you can opt-in to the insecure methods...
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 02 Mar 2023 23:57:29 +0100 |
parents | fa3059e653fa |
children | 7c531137a553 |
comparison
equal
deleted
inserted
replaced
5186:fa3059e653fa | 5187:6a3c1febd7be |
---|---|
251 response_type_handlers.token = nil; | 251 response_type_handlers.token = nil; |
252 grant_type_handlers.authorization_code = nil; | 252 grant_type_handlers.authorization_code = nil; |
253 check_credentials = function () return false end | 253 check_credentials = function () return false end |
254 end | 254 end |
255 | 255 |
256 local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {"authorization_code", "password"}) | |
257 for handler_type in pairs(grant_type_handlers) do | |
258 if not allowed_grant_type_handlers:contains(handler_type) then | |
259 grant_type_handlers[handler_type] = nil; | |
260 end | |
261 end | |
262 | |
263 -- "token" aka implicit flow is considered insecure | |
264 local allowed_response_type_handlers = module:get_option_set("allowed_oauth2_response_types", {"code"}) | |
265 for handler_type in pairs(allowed_response_type_handlers) do | |
266 if not allowed_grant_type_handlers:contains(handler_type) then | |
267 grant_type_handlers[handler_type] = nil; | |
268 end | |
269 end | |
270 | |
256 function handle_token_grant(event) | 271 function handle_token_grant(event) |
257 event.response.headers.content_type = "application/json"; | 272 event.response.headers.content_type = "application/json"; |
258 local params = http.formdecode(event.request.body); | 273 local params = http.formdecode(event.request.body); |
259 if not params then | 274 if not params then |
260 return oauth_error("invalid_request"); | 275 return oauth_error("invalid_request"); |