Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5446:dd7bddc87f98
mod_http_oauth2: Fix inclusion of role in refreshed access tokens
`refresh_token_info` does not carry the role, and due to behavior prior
to prosody trunk rev a1ba503610ed it would have reverted to the users'
default role. After that it instead issues a token without role which is
thus not usable with e.g. mod_rest
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 11 May 2023 21:37:35 +0200 |
parents | 74fdf4a7cca1 |
children | aa4828f040c5 |
comparison
equal
deleted
inserted
replaced
5445:74fdf4a7cca1 | 5446:dd7bddc87f98 |
---|---|
408 local refresh_token_info = tokens.get_token_info(params.refresh_token); | 408 local refresh_token_info = tokens.get_token_info(params.refresh_token); |
409 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then | 409 if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then |
410 return oauth_error("invalid_grant", "invalid refresh token"); | 410 return oauth_error("invalid_grant", "invalid refresh token"); |
411 end | 411 end |
412 | 412 |
413 local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes; | |
414 local new_scopes, role = filter_scopes(username, refresh_scopes); | |
415 | |
413 -- new_access_token() requires the actual token | 416 -- new_access_token() requires the actual token |
414 refresh_token_info.token = params.refresh_token; | 417 refresh_token_info.token = params.refresh_token; |
415 | 418 |
416 return json.encode(new_access_token( | 419 return json.encode(new_access_token( |
417 refresh_token_info.jid, refresh_token_info.role, refresh_token_info.grant.data.oauth2_scopes, client, nil, refresh_token_info | 420 refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info |
418 )); | 421 )); |
419 end | 422 end |
420 | 423 |
421 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients | 424 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients |
422 | 425 |