Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5384:b40f29ec391a
mod_http_oauth2: Allow configuring PKCE challenge methods
You'd pretty much only want this to disable the 'plain' method, since it
doesn't seem to add that much security?
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 29 Apr 2023 13:09:49 +0200 |
| parents | df11a2cbc7b7 |
| children | 544b92750a2a |
comparison
equal
deleted
inserted
replaced
| 5383:df11a2cbc7b7 | 5384:b40f29ec391a |
|---|---|
| 557 if not allowed_response_type_handlers:contains(handler_type) then | 557 if not allowed_response_type_handlers:contains(handler_type) then |
| 558 module:log("debug", "Response type %q disabled", handler_type); | 558 module:log("debug", "Response type %q disabled", handler_type); |
| 559 response_type_handlers[handler_type] = nil; | 559 response_type_handlers[handler_type] = nil; |
| 560 else | 560 else |
| 561 module:log("debug", "Response type %q enabled", handler_type); | 561 module:log("debug", "Response type %q enabled", handler_type); |
| 562 end | |
| 563 end | |
| 564 | |
| 565 local allowed_challenge_methods = module:get_option_set("allowed_oauth2_code_challenge_methods", { "plain"; "S256" }) | |
| 566 for handler_type in pairs(verifier_transforms) do | |
| 567 if not allowed_challenge_methods:contains(handler_type) then | |
| 568 module:log("debug", "Challenge method %q disabled", handler_type); | |
| 569 verifier_transforms[handler_type] = nil; | |
| 570 else | |
| 571 module:log("debug", "Challenge method %q enabled", handler_type); | |
| 562 end | 572 end |
| 563 end | 573 end |
| 564 | 574 |
| 565 function handle_token_grant(event) | 575 function handle_token_grant(event) |
| 566 local credentials = get_request_credentials(event.request); | 576 local credentials = get_request_credentials(event.request); |