Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5357:eda3b078ba2c
mod_http_oauth2: Validate (unused at this point) localized URIs
Client registration may include keys of the form "some_uri#lang-code"
pointing to alternate language versions of the various URIs. We don't
use this yet but the same validation should apply.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 22 Apr 2023 14:02:56 +0200 |
| parents | 959dc350f2ad |
| children | 0905d348bd34 |
comparison
equal
deleted
inserted
replaced
| 5356:959dc350f2ad | 5357:eda3b078ba2c |
|---|---|
| 668 jwks = { type = "object"; description = "JSON Web Key Set, RFC 7517" }; | 668 jwks = { type = "object"; description = "JSON Web Key Set, RFC 7517" }; |
| 669 software_id = { type = "string"; format = "uuid" }; | 669 software_id = { type = "string"; format = "uuid" }; |
| 670 software_version = { type = "string" }; | 670 software_version = { type = "string" }; |
| 671 }; | 671 }; |
| 672 -- Localized versions of descriptive properties and URIs | 672 -- Localized versions of descriptive properties and URIs |
| 673 patternProperties = { ["^[a-z_]+_uri#"] = { type = "string"; format = "uri"; pattern = "^https:" } }; | |
| 673 additionalProperties = { type = "string" }; | 674 additionalProperties = { type = "string" }; |
| 674 } | 675 } |
| 675 | 676 |
| 676 function create_client(client_metadata) | 677 function create_client(client_metadata) |
| 677 if not schema.validate(registration_schema, client_metadata) then | 678 if not schema.validate(registration_schema, client_metadata) then |
| 700 if components.scheme ~= "https" then | 701 if components.scheme ~= "https" then |
| 701 return nil, oauth_error("invalid_request", "Insecure URI forbidden"); | 702 return nil, oauth_error("invalid_request", "Insecure URI forbidden"); |
| 702 end | 703 end |
| 703 if components.authority ~= client_uri.authority then | 704 if components.authority ~= client_uri.authority then |
| 704 return nil, oauth_error("invalid_request", "Informative URIs must have the same hostname"); | 705 return nil, oauth_error("invalid_request", "Informative URIs must have the same hostname"); |
| 706 end | |
| 707 end | |
| 708 end | |
| 709 | |
| 710 -- Localized URIs should be secure too | |
| 711 for k, v in pairs(client_metadata) do | |
| 712 if k:find"_uri#" then | |
| 713 local uri = url.parse(v); | |
| 714 if not uri or uri.scheme ~= "https" then | |
| 715 return nil, oauth_error("invalid_request", "Missing, invalid or insecure "..k); | |
| 716 elseif uri.host ~= client_uri.host then | |
| 717 return nil, oauth_error("invalid_request", "All URIs must use the same hostname as client_uri"); | |
| 705 end | 718 end |
| 706 end | 719 end |
| 707 end | 720 end |
| 708 | 721 |
| 709 -- Ensure each signed client_id JWT is unique, short ID and issued at | 722 -- Ensure each signed client_id JWT is unique, short ID and issued at |