Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5209:942f8a2f722d
mod_http_oauth2: Allow non-HTTPS on localhost URLs
This is the recommended behaviour (draft-ietf-oauth-v2-1-07 section 7.5.1).
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 06 Mar 2023 10:29:14 +0000 |
| parents | aaa64c647e12 |
| children | 898575a0c6f3 |
comparison
equal
deleted
inserted
replaced
| 5208:aaa64c647e12 | 5209:942f8a2f722d |
|---|---|
| 9 local uuid = require "util.uuid"; | 9 local uuid = require "util.uuid"; |
| 10 local encodings = require "util.encodings"; | 10 local encodings = require "util.encodings"; |
| 11 local base64 = encodings.base64; | 11 local base64 = encodings.base64; |
| 12 local random = require "util.random"; | 12 local random = require "util.random"; |
| 13 local schema = require "util.jsonschema"; | 13 local schema = require "util.jsonschema"; |
| 14 local set = require "util.set"; | |
| 14 local jwt = require"util.jwt"; | 15 local jwt = require"util.jwt"; |
| 15 local it = require "util.iterators"; | 16 local it = require "util.iterators"; |
| 16 local array = require "util.array"; | 17 local array = require "util.array"; |
| 17 local st = require "util.stanza"; | 18 local st = require "util.stanza"; |
| 18 | 19 |
| 110 return code and code_expires_in(code) + 1 or 900; | 111 return code and code_expires_in(code) + 1 or 900; |
| 111 end) | 112 end) |
| 112 | 113 |
| 113 local function get_issuer() | 114 local function get_issuer() |
| 114 return (module:http_url(nil, "/"):gsub("/$", "")); | 115 return (module:http_url(nil, "/"):gsub("/$", "")); |
| 116 end | |
| 117 | |
| 118 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" }); | |
| 119 local function is_secure_redirect(uri) | |
| 120 local u = url.parse(uri); | |
| 121 return u.scheme ~= "http" or loopbacks:contains(u.host); | |
| 115 end | 122 end |
| 116 | 123 |
| 117 local function oauth_error(err_name, err_desc) | 124 local function oauth_error(err_name, err_desc) |
| 118 return errors.new({ | 125 return errors.new({ |
| 119 type = "modify"; | 126 type = "modify"; |
| 376 -- the redirect_uri is missing or invalid. In those cases, we render an | 383 -- the redirect_uri is missing or invalid. In those cases, we render an |
| 377 -- error directly to the user-agent. | 384 -- error directly to the user-agent. |
| 378 local function error_response(request, err) | 385 local function error_response(request, err) |
| 379 local q = request.url.query and http.formdecode(request.url.query); | 386 local q = request.url.query and http.formdecode(request.url.query); |
| 380 local redirect_uri = q and q.redirect_uri; | 387 local redirect_uri = q and q.redirect_uri; |
| 381 if not redirect_uri or not redirect_uri:match("^https://") then | 388 if not redirect_uri or not is_safe_redirect(redirect_uri) then |
| 382 module:log("warn", "Missing or invalid redirect_uri <%s>, rendering error to user-agent", redirect_uri or ""); | 389 module:log("warn", "Missing or invalid redirect_uri <%s>, rendering error to user-agent", redirect_uri or ""); |
| 383 return render_page(templates.error, { error = err }); | 390 return render_page(templates.error, { error = err }); |
| 384 end | 391 end |
| 385 local redirect_query = url.parse(redirect_uri); | 392 local redirect_query = url.parse(redirect_uri); |
| 386 local sep = redirect_query and "&" or "?"; | 393 local sep = redirect_query and "&" or "?"; |