comparison mod_http_oauth2/mod_http_oauth2.lua @ 5450:d2594bbf7c36

mod_http_oauth2: Scope FIXMEs
author Kim Alvefur <zash@zash.se>
date Thu, 11 May 2023 21:43:23 +0200
parents 9c19a6b8e542
children 6705f2a09702
comparison
equal deleted inserted replaced
5449:9c19a6b8e542 5450:d2594bbf7c36
366 function grant_type_handlers.authorization_code(params) 366 function grant_type_handlers.authorization_code(params)
367 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end 367 if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
368 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end 368 if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end
369 if not params.code then return oauth_error("invalid_request", "missing 'code'"); end 369 if not params.code then return oauth_error("invalid_request", "missing 'code'"); end
370 if params.scope and params.scope ~= "" then 370 if params.scope and params.scope ~= "" then
371 -- FIXME allow a subset of granted scopes
371 return oauth_error("invalid_scope", "unknown scope requested"); 372 return oauth_error("invalid_scope", "unknown scope requested");
372 end 373 end
373 374
374 local client_ok, client = jwt_verify(params.client_id); 375 local client_ok, client = jwt_verify(params.client_id);
375 if not client_ok then 376 if not client_ok then
542 function grant_type_handlers.password(params) 543 function grant_type_handlers.password(params)
543 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)")); 544 local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)"));
544 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'")); 545 local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
545 local request_username, request_host, request_resource = jid.prepped_split(request_jid); 546 local request_username, request_host, request_resource = jid.prepped_split(request_jid);
546 if params.scope then 547 if params.scope then
548 -- TODO shouldn't we support scopes / roles here?
547 return oauth_error("invalid_scope", "unknown scope requested"); 549 return oauth_error("invalid_scope", "unknown scope requested");
548 end 550 end
549 if not request_host or request_host ~= module.host then 551 if not request_host or request_host ~= module.host then
550 return oauth_error("invalid_request", "invalid JID"); 552 return oauth_error("invalid_request", "invalid JID");
551 end 553 end