comparison mod_http_oauth2/mod_http_oauth2.lua @ 5446:dd7bddc87f98

mod_http_oauth2: Fix inclusion of role in refreshed access tokens `refresh_token_info` does not carry the role, and due to behavior prior to prosody trunk rev a1ba503610ed it would have reverted to the users' default role. After that it instead issues a token without role which is thus not usable with e.g. mod_rest
author Kim Alvefur <zash@zash.se>
date Thu, 11 May 2023 21:37:35 +0200
parents 74fdf4a7cca1
children aa4828f040c5
comparison
equal deleted inserted replaced
5445:74fdf4a7cca1 5446:dd7bddc87f98
408 local refresh_token_info = tokens.get_token_info(params.refresh_token); 408 local refresh_token_info = tokens.get_token_info(params.refresh_token);
409 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then 409 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then
410 return oauth_error("invalid_grant", "invalid refresh token"); 410 return oauth_error("invalid_grant", "invalid refresh token");
411 end 411 end
412 412
413 local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes;
414 local new_scopes, role = filter_scopes(username, refresh_scopes);
415
413 -- new_access_token() requires the actual token 416 -- new_access_token() requires the actual token
414 refresh_token_info.token = params.refresh_token; 417 refresh_token_info.token = params.refresh_token;
415 418
416 return json.encode(new_access_token( 419 return json.encode(new_access_token(
417 refresh_token_info.jid, refresh_token_info.role, refresh_token_info.grant.data.oauth2_scopes, client, nil, refresh_token_info 420 refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info
418 )); 421 ));
419 end 422 end
420 423
421 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients 424 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients
422 425