Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5403:c574aaaa4d57
mod_http_oauth2: Simplify validation of various URIs
Why: diffstat
How: Reuse of the redirect_uri_allowed() function
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 02 May 2023 16:23:05 +0200 |
parents | fbf3ede7541b |
children | 1087f697c3f3 |
comparison
equal
deleted
inserted
replaced
5402:fbf3ede7541b | 5403:c574aaaa4d57 |
---|---|
764 end | 764 end |
765 end | 765 end |
766 | 766 |
767 for field, prop_schema in pairs(registration_schema.properties) do | 767 for field, prop_schema in pairs(registration_schema.properties) do |
768 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then | 768 if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then |
769 local components = url.parse(client_metadata[field]); | 769 if not redirect_uri_allowed(client_metadata[field], client_uri, "web") then |
770 if components.scheme ~= "https" then | 770 return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI"); |
771 return nil, oauth_error("invalid_client_metadata", "Insecure URI forbidden"); | |
772 end | |
773 if components.authority ~= client_uri.authority then | |
774 return nil, oauth_error("invalid_client_metadata", "Informative URIs must have the same hostname"); | |
775 end | 771 end |
776 end | 772 end |
777 end | 773 end |
778 | 774 |
779 -- Localized URIs should be secure too | 775 -- Localized URIs should be secure too |
780 for k, v in pairs(client_metadata) do | 776 for k, v in pairs(client_metadata) do |
781 if k:find"_uri#" then | 777 if k:find"_uri#" then |
782 local uri = url.parse(v); | 778 if not redirect_uri_allowed(v, client_uri, "web") then |
783 if not uri or uri.scheme ~= "https" then | 779 return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI"); |
784 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure "..k); | |
785 elseif uri.host ~= client_uri.host then | |
786 return nil, oauth_error("invalid_client_metadata", "All URIs must use the same hostname as client_uri"); | |
787 end | 780 end |
788 end | 781 end |
789 end | 782 end |
790 | 783 |
791 -- Ensure each signed client_id JWT is unique, short ID and issued at | 784 -- Ensure each signed client_id JWT is unique, short ID and issued at |