Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5405:c7a5caad28ef
mod_http_oauth2: Enforce response type encoded in client_id
The client promises to only use this response type, so we should hold
them to that.
This makes it fail earlier if the response type is disabled or the
client is trying to use one that it promised not to use. Better than
failing after login and consent.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 02 May 2023 16:31:25 +0200 |
| parents | 1087f697c3f3 |
| children | b86d80e21c60 |
comparison
equal
deleted
inserted
replaced
| 5404:1087f697c3f3 | 5405:c7a5caad28ef |
|---|---|
| 616 | 616 |
| 617 local ok, client = jwt_verify(params.client_id); | 617 local ok, client = jwt_verify(params.client_id); |
| 618 | 618 |
| 619 if not ok then | 619 if not ok then |
| 620 return oauth_error("invalid_client", "incorrect credentials"); | 620 return oauth_error("invalid_client", "incorrect credentials"); |
| 621 end | |
| 622 | |
| 623 local client_response_types = set.new(array(client.response_types or { "code" })); | |
| 624 client_response_types = set.intersection(client_response_types, allowed_response_type_handlers); | |
| 625 if not client_response_types:contains(params.response_type) then | |
| 626 return oauth_error("invalid_client", "response_type not allowed"); | |
| 621 end | 627 end |
| 622 | 628 |
| 623 local auth_state = get_auth_state(request); | 629 local auth_state = get_auth_state(request); |
| 624 if not auth_state.user then | 630 if not auth_state.user then |
| 625 -- Render login page | 631 -- Render login page |