Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5265:f845c218e52c
mod_http_oauth2: Allow revoking a token without OAuth client credentials
If you have a valid token, and you're not supposed to have it, revoking
it seems the most responsible thing to do with it, so it should be
allowed, while if you are supposed to have it, you should also be
allowed to revoke it.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 21 Mar 2023 22:02:38 +0100 |
| parents | d3ebaef1ea7a |
| children | 5943605201ca |
comparison
equal
deleted
inserted
replaced
| 5264:d3ebaef1ea7a | 5265:f845c218e52c |
|---|---|
| 568 return response_handler(client, params, user_jid, id_token); | 568 return response_handler(client, params, user_jid, id_token); |
| 569 end | 569 end |
| 570 | 570 |
| 571 local function handle_revocation_request(event) | 571 local function handle_revocation_request(event) |
| 572 local request, response = event.request, event.response; | 572 local request, response = event.request, event.response; |
| 573 if not request.headers.authorization then | 573 if request.headers.content_type ~= "application/x-www-form-urlencoded" |
| 574 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); | |
| 575 return 401; | |
| 576 elseif request.headers.content_type ~= "application/x-www-form-urlencoded" | |
| 577 or not request.body or request.body == "" then | 574 or not request.body or request.body == "" then |
| 578 return 400; | 575 return 400; |
| 579 end | 576 end |
| 580 local credentials = get_request_credentials(request); | 577 if request.headers.authorization then |
| 581 if not credentials or credentials.type ~= "basic" then | 578 local credentials = get_request_credentials(request); |
| 582 return 400; | 579 if not credentials or credentials.type ~= "basic" then |
| 583 end | 580 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); |
| 584 -- OAuth "client" credentials | 581 return 401; |
| 585 if not verify_client_secret(credentials.username, credentials.password) then | 582 end |
| 586 return 401; | 583 -- OAuth "client" credentials |
| 584 if not verify_client_secret(credentials.username, credentials.password) then | |
| 585 return 401; | |
| 586 end | |
| 587 end | 587 end |
| 588 | 588 |
| 589 local form_data = http.formdecode(event.request.body); | 589 local form_data = http.formdecode(event.request.body); |
| 590 if not form_data or not form_data.token then | 590 if not form_data or not form_data.token then |
| 591 return 400; | 591 return 400; |