Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5559:d7fb8b266663
mod_http_oauth2: Strip unknown client metadata
Per RFC 7591
> The authorization server MUST ignore any client metadata sent by the
> client that it does not understand (for instance, by silently removing
> unknown metadata from the client's registration record during
> processing).
This was previously done but unintentionally removed in 90449babaa48
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 20 Jun 2023 01:11:34 +0200 |
| parents | 90449babaa48 |
| children | 697d799fe601 |
comparison
equal
deleted
inserted
replaced
| 5558:3276750332ea | 5559:d7fb8b266663 |
|---|---|
| 977 if client_metadata[propname] == nil and type(propspec) == "table" and propspec.default ~= nil then | 977 if client_metadata[propname] == nil and type(propspec) == "table" and propspec.default ~= nil then |
| 978 client_metadata[propname] = propspec.default; | 978 client_metadata[propname] = propspec.default; |
| 979 end | 979 end |
| 980 end | 980 end |
| 981 | 981 |
| 982 -- MUST ignore any metadata that it does not understand | |
| 983 for propname in pairs(client_metadata) do | |
| 984 if not registration_schema.properties[propname] then | |
| 985 client_metadata[propname] = nil; | |
| 986 end | |
| 987 end | |
| 988 | |
| 982 local client_uri = url.parse(client_metadata.client_uri); | 989 local client_uri = url.parse(client_metadata.client_uri); |
| 983 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then | 990 if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then |
| 984 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri"); | 991 return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri"); |
| 985 end | 992 end |
| 986 | 993 |