Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5210:898575a0c6f3
mod_http_oauth2: Switch to '303 See Other' redirects
This is the recommendation by draft-ietf-oauth-v2-1-07 section 7.5.2. It is
the only redirect code that guarantees the user agent will use a GET request,
rather than re-submitting a POST request to the new URL.
The latter would be bad for us, as we are encoding auth tokens in the form
data.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 06 Mar 2023 10:37:43 +0000 |
| parents | 942f8a2f722d |
| children | dc0f502c12f1 |
comparison
equal
deleted
inserted
replaced
| 5209:942f8a2f722d | 5210:898575a0c6f3 |
|---|---|
| 209 table.insert(query, { name = "state", value = params.state }); | 209 table.insert(query, { name = "state", value = params.state }); |
| 210 end | 210 end |
| 211 redirect.query = http.formencode(query); | 211 redirect.query = http.formencode(query); |
| 212 | 212 |
| 213 return { | 213 return { |
| 214 status_code = 302; | 214 status_code = 303; |
| 215 headers = { | 215 headers = { |
| 216 location = url.build(redirect); | 216 location = url.build(redirect); |
| 217 }; | 217 }; |
| 218 } | 218 } |
| 219 end | 219 end |
| 227 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); | 227 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); |
| 228 token_info.state = params.state; | 228 token_info.state = params.state; |
| 229 redirect.fragment = http.formencode(token_info); | 229 redirect.fragment = http.formencode(token_info); |
| 230 | 230 |
| 231 return { | 231 return { |
| 232 status_code = 302; | 232 status_code = 303; |
| 233 headers = { | 233 headers = { |
| 234 location = url.build(redirect); | 234 location = url.build(redirect); |
| 235 }; | 235 }; |
| 236 } | 236 } |
| 237 end | 237 end |
| 394 redirect_uri = redirect_uri | 394 redirect_uri = redirect_uri |
| 395 .. sep .. http.formencode(err.extra.oauth2_response) | 395 .. sep .. http.formencode(err.extra.oauth2_response) |
| 396 .. "&" .. http.formencode({ state = q.state, iss = get_issuer() }); | 396 .. "&" .. http.formencode({ state = q.state, iss = get_issuer() }); |
| 397 module:log("warn", "Sending error response to client via redirect to %s", redirect_uri); | 397 module:log("warn", "Sending error response to client via redirect to %s", redirect_uri); |
| 398 return { | 398 return { |
| 399 status_code = 302; | 399 status_code = 303; |
| 400 headers = { | 400 headers = { |
| 401 location = redirect_uri; | 401 location = redirect_uri; |
| 402 }; | 402 }; |
| 403 }; | 403 }; |
| 404 end | 404 end |