Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5626:a44af1b646f5
mod_http_oauth2: Optionally enforce authentication on revocation endpoint
But why do OAuth require this? If a token leaks, why couldn't anyone
revoke it?
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Mon, 31 Jul 2023 02:07:58 +0200 |
parents | 81042c2a235a |
children | 9aace51c3637 |
comparison
equal
deleted
inserted
replaced
5625:e86a1018cdb3 | 5626:a44af1b646f5 |
---|---|
1039 }); | 1039 }); |
1040 }; | 1040 }; |
1041 } | 1041 } |
1042 end | 1042 end |
1043 | 1043 |
1044 local strict_auth_revoke = module:get_option_boolean("oauth2_require_auth_revoke", false); | |
1045 | |
1044 local function handle_revocation_request(event) | 1046 local function handle_revocation_request(event) |
1045 local request, response = event.request, event.response; | 1047 local request, response = event.request, event.response; |
1046 response.headers.cache_control = "no-store"; | 1048 response.headers.cache_control = "no-store"; |
1047 response.headers.pragma = "no-cache"; | 1049 response.headers.pragma = "no-cache"; |
1048 if request.headers.authorization then | 1050 if request.headers.authorization then |
1053 end | 1055 end |
1054 -- OAuth "client" credentials | 1056 -- OAuth "client" credentials |
1055 if not verify_client_secret(credentials.username, credentials.password) then | 1057 if not verify_client_secret(credentials.username, credentials.password) then |
1056 return 401; | 1058 return 401; |
1057 end | 1059 end |
1060 -- TODO check that it's their token I guess? | |
1061 elseif strict_auth_revoke then | |
1062 -- Why require auth to revoke a leaked token? | |
1063 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); | |
1064 return 401; | |
1058 end | 1065 end |
1059 | 1066 |
1060 local form_data = strict_formdecode(event.request.body); | 1067 local form_data = strict_formdecode(event.request.body); |
1061 if not form_data or not form_data.token then | 1068 if not form_data or not form_data.token then |
1062 response.headers.accept = "application/x-www-form-urlencoded"; | 1069 response.headers.accept = "application/x-www-form-urlencoded"; |