comparison mod_http_oauth2/mod_http_oauth2.lua @ 5403:c574aaaa4d57

mod_http_oauth2: Simplify validation of various URIs Why: diffstat How: Reuse of the redirect_uri_allowed() function
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:23:05 +0200
parents fbf3ede7541b
children 1087f697c3f3
comparison
equal deleted inserted replaced
5402:fbf3ede7541b 5403:c574aaaa4d57
764 end 764 end
765 end 765 end
766 766
767 for field, prop_schema in pairs(registration_schema.properties) do 767 for field, prop_schema in pairs(registration_schema.properties) do
768 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then 768 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then
769 local components = url.parse(client_metadata[field]); 769 if not redirect_uri_allowed(client_metadata[field], client_uri, "web") then
770 if components.scheme ~= "https" then 770 return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI");
771 return nil, oauth_error("invalid_client_metadata", "Insecure URI forbidden");
772 end
773 if components.authority ~= client_uri.authority then
774 return nil, oauth_error("invalid_client_metadata", "Informative URIs must have the same hostname");
775 end 771 end
776 end 772 end
777 end 773 end
778 774
779 -- Localized URIs should be secure too 775 -- Localized URIs should be secure too
780 for k, v in pairs(client_metadata) do 776 for k, v in pairs(client_metadata) do
781 if k:find"_uri#" then 777 if k:find"_uri#" then
782 local uri = url.parse(v); 778 if not redirect_uri_allowed(v, client_uri, "web") then
783 if not uri or uri.scheme ~= "https" then 779 return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI");
784 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure "..k);
785 elseif uri.host ~= client_uri.host then
786 return nil, oauth_error("invalid_client_metadata", "All URIs must use the same hostname as client_uri");
787 end 780 end
788 end 781 end
789 end 782 end
790 783
791 -- Ensure each signed client_id JWT is unique, short ID and issued at 784 -- Ensure each signed client_id JWT is unique, short ID and issued at