comparison mod_http_oauth2/mod_http_oauth2.lua @ 5458:813fe4f76286

mod_http_oauth2: Do minimal validation of private-use URI schemes Per draft-ietf-oauth-v2-1-08#section-2.3.1 > At a minimum, any private-use URI scheme that doesn't contain a period > character (.) SHOULD be rejected. Since this would rule out the OOB URI, which is useful for CLI tools and such without a built-in http server, it is explicitly allowed.
author Kim Alvefur <zash@zash.se>
date Tue, 16 May 2023 22:18:12 +0200
parents 9156a4754466
children 260a859be86a
comparison
equal deleted inserted replaced
5457:9156a4754466 5458:813fe4f76286
172 172
173 local function get_issuer() 173 local function get_issuer()
174 return (module:http_url(nil, "/"):gsub("/$", "")); 174 return (module:http_url(nil, "/"):gsub("/$", ""));
175 end 175 end
176 176
177 -- Non-standard special redirect URI that has the AS show the authorization
178 -- code to the user for them to copy-paste into the client, which can then
179 -- continue as if it received it via redirect.
180 local oob_uri = "urn:ietf:wg:oauth:2.0:oob";
181
177 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" }); 182 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" });
178 local function is_secure_redirect(uri) 183 local function is_secure_redirect(uri)
179 local u = url.parse(uri); 184 local u = url.parse(uri);
180 return u.scheme ~= "http" or loopbacks:contains(u.host); 185 return u.scheme ~= "http" or loopbacks:contains(u.host);
181 end 186 end
293 if not ok then 298 if not ok then
294 return {status_code = 429}; 299 return {status_code = 429};
295 end 300 end
296 301
297 local redirect_uri = get_redirect_uri(client, params.redirect_uri); 302 local redirect_uri = get_redirect_uri(client, params.redirect_uri);
298 if redirect_uri == "urn:ietf:wg:oauth:2.0:oob" then 303 if redirect_uri == oob_uri then
299 -- TODO some nicer template page 304 -- TODO some nicer template page
300 -- mod_http_errors will set content-type to text/html if it catches this 305 -- mod_http_errors will set content-type to text/html if it catches this
301 -- event, if not text/plain is kept for the fallback text. 306 -- event, if not text/plain is kept for the fallback text.
302 local response = { status_code = 200; headers = { content_type = "text/plain" } } 307 local response = { status_code = 200; headers = { content_type = "text/plain" } }
303 response.body = module:context("*"):fire_event("http-message", { 308 response.body = module:context("*"):fire_event("http-message", {
809 local uri = url.parse(redirect_uri); 814 local uri = url.parse(redirect_uri);
810 if not uri.scheme then 815 if not uri.scheme then
811 return false; -- no relative URLs 816 return false; -- no relative URLs
812 end 817 end
813 if app_type == "native" then 818 if app_type == "native" then
814 return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https"; 819 return uri.scheme == "http" and loopbacks:contains(uri.host) or redirect_uri == oob_uri or uri.scheme:find(".", 1, true) ~= nil;
815 elseif app_type == "web" then 820 elseif app_type == "web" then
816 return uri.scheme == "https" and uri.host == client_uri.host; 821 return uri.scheme == "https" and uri.host == client_uri.host;
817 end 822 end
818 end 823 end
819 824