comparison mod_http_oauth2/mod_http_oauth2.lua @ 5510:a49d73e4262e

mod_http_oauth2: Add client verification wrapper function Fixes the weird ok, data return format from util.jit, but the real reason is to add some preparation steps here.
author Kim Alvefur <zash@zash.se>
date Fri, 02 Jun 2023 10:12:46 +0200
parents ae007be8a6bd
children 0860497152af
comparison
equal deleted inserted replaced
5509:ae007be8a6bd 5510:a49d73e4262e
95 -- Tie it to the host if global 95 -- Tie it to the host if global
96 verification_key = hashes.hmac_sha256(registration_key, module.host); 96 verification_key = hashes.hmac_sha256(registration_key, module.host);
97 sign_client, verify_client = jwt.init(registration_algo, registration_key, registration_key, registration_options); 97 sign_client, verify_client = jwt.init(registration_algo, registration_key, registration_key, registration_options);
98 end 98 end
99 99
100 -- verify and prepare client structure
101 local function check_client(client_id)
102 if not verify_client then
103 return nil, "client-registration-not-enabled";
104 end
105
106 local ok, client = verify_client(client_id);
107 if not ok then return ok, client; end
108 return client;
109 end
110
100 -- scope : string | array | set 111 -- scope : string | array | set
101 -- 112 --
102 -- at each step, allow the same or a subset of scopes 113 -- at each step, allow the same or a subset of scopes
103 -- (all ( client ( grant ( token ) ) )) 114 -- (all ( client ( grant ( token ) ) ))
104 -- preserve order since it determines role if more than one granted 115 -- preserve order since it determines role if more than one granted
407 if params.scope and params.scope ~= "" then 418 if params.scope and params.scope ~= "" then
408 -- FIXME allow a subset of granted scopes 419 -- FIXME allow a subset of granted scopes
409 return oauth_error("invalid_scope", "unknown scope requested"); 420 return oauth_error("invalid_scope", "unknown scope requested");
410 end 421 end
411 422
412 local client_ok, client = verify_client(params.client_id); 423 local client = check_client(params.client_id);
413 if not client_ok then 424 if not client then
414 return oauth_error("invalid_client", "incorrect credentials"); 425 return oauth_error("invalid_client", "incorrect credentials");
415 end 426 end
416 427
417 if not verify_client_secret(params.client_id, params.client_secret) then 428 if not verify_client_secret(params.client_id, params.client_secret) then
418 module:log("debug", "client_secret mismatch"); 429 module:log("debug", "client_secret mismatch");
442 function grant_type_handlers.refresh_token(params) 453 function grant_type_handlers.refresh_token(params)
443 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end 454 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
444 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end 455 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
445 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end 456 if not params.refresh_token then return oauth_error("invalid_request", "missing 'refresh_token'"); end
446 457
447 local client_ok, client = verify_client(params.client_id); 458 local client = check_client(params.client_id);
448 if not client_ok then 459 if not client then
449 return oauth_error("invalid_client", "incorrect credentials"); 460 return oauth_error("invalid_client", "incorrect credentials");
450 end 461 end
451 462
452 if not verify_client_secret(params.client_id, params.client_secret) then 463 if not verify_client_secret(params.client_id, params.client_secret) then
453 module:log("debug", "client_secret mismatch"); 464 module:log("debug", "client_secret mismatch");
702 713
703 if not params.client_id then 714 if not params.client_id then
704 return render_error(oauth_error("invalid_request", "Missing 'client_id' parameter")); 715 return render_error(oauth_error("invalid_request", "Missing 'client_id' parameter"));
705 end 716 end
706 717
707 local ok, client = verify_client(params.client_id); 718 local client = check_client(params.client_id);
708 719
709 if not ok then 720 if not client then
710 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter")); 721 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter"));
711 end 722 end
712 723
713 local redirect_uri = get_redirect_uri(client, params.redirect_uri); 724 local redirect_uri = get_redirect_uri(client, params.redirect_uri);
714 if not redirect_uri then 725 if not redirect_uri then