Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5478:af105c7a24b2
mod_http_oauth2: Always render errors as HTML for OOB redirect URI
No invalid or insecure redirect URIs should make it to this point, so
the warning can be removed.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 18 May 2023 14:25:11 +0200 |
parents | 5986e0edd7a3 |
children | 30e2722c9fa3 |
comparison
equal
deleted
inserted
replaced
5477:5986e0edd7a3 | 5478:af105c7a24b2 |
---|---|
178 -- code to the user for them to copy-paste into the client, which can then | 178 -- code to the user for them to copy-paste into the client, which can then |
179 -- continue as if it received it via redirect. | 179 -- continue as if it received it via redirect. |
180 local oob_uri = "urn:ietf:wg:oauth:2.0:oob"; | 180 local oob_uri = "urn:ietf:wg:oauth:2.0:oob"; |
181 | 181 |
182 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" }); | 182 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" }); |
183 local function is_secure_redirect(uri) | |
184 local u = url.parse(uri); | |
185 return u.scheme ~= "http" or loopbacks:contains(u.host); | |
186 end | |
187 | 183 |
188 local function oauth_error(err_name, err_desc) | 184 local function oauth_error(err_name, err_desc) |
189 return errors.new({ | 185 return errors.new({ |
190 type = "modify"; | 186 type = "modify"; |
191 condition = "bad-request"; | 187 condition = "bad-request"; |
605 -- appending the error information to the redirect_uri and sending the | 601 -- appending the error information to the redirect_uri and sending the |
606 -- redirect to the user-agent. In some cases we can't do this, e.g. if | 602 -- redirect to the user-agent. In some cases we can't do this, e.g. if |
607 -- the redirect_uri is missing or invalid. In those cases, we render an | 603 -- the redirect_uri is missing or invalid. In those cases, we render an |
608 -- error directly to the user-agent. | 604 -- error directly to the user-agent. |
609 local function error_response(request, redirect_uri, err) | 605 local function error_response(request, redirect_uri, err) |
610 if not redirect_uri or not is_secure_redirect(redirect_uri) then | 606 if not redirect_uri or redirect_uri == oob_uri then |
611 module:log("warn", "Missing or invalid redirect_uri %q, rendering error to user-agent", redirect_uri); | |
612 return render_error(err); | 607 return render_error(err); |
613 end | 608 end |
614 local q = request.url.query and http.formdecode(request.url.query); | 609 local q = request.url.query and http.formdecode(request.url.query); |
615 local redirect_query = url.parse(redirect_uri); | 610 local redirect_query = url.parse(redirect_uri); |
616 local sep = redirect_query.query and "&" or "?"; | 611 local sep = redirect_query.query and "&" or "?"; |