Mercurial > prosody-modules
diff mod_http_oauth2/mod_http_oauth2.lua @ 5458:813fe4f76286
mod_http_oauth2: Do minimal validation of private-use URI schemes
Per draft-ietf-oauth-v2-1-08#section-2.3.1
> At a minimum, any private-use URI scheme that doesn't contain a period
> character (.) SHOULD be rejected.
Since this would rule out the OOB URI, which is useful for CLI tools and
such without a built-in http server, it is explicitly allowed.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 16 May 2023 22:18:12 +0200 |
parents | 9156a4754466 |
children | 260a859be86a |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue May 16 22:16:39 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue May 16 22:18:12 2023 +0200 @@ -174,6 +174,11 @@ return (module:http_url(nil, "/"):gsub("/$", "")); end +-- Non-standard special redirect URI that has the AS show the authorization +-- code to the user for them to copy-paste into the client, which can then +-- continue as if it received it via redirect. +local oob_uri = "urn:ietf:wg:oauth:2.0:oob"; + local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" }); local function is_secure_redirect(uri) local u = url.parse(uri); @@ -295,7 +300,7 @@ end local redirect_uri = get_redirect_uri(client, params.redirect_uri); - if redirect_uri == "urn:ietf:wg:oauth:2.0:oob" then + if redirect_uri == oob_uri then -- TODO some nicer template page -- mod_http_errors will set content-type to text/html if it catches this -- event, if not text/plain is kept for the fallback text. @@ -811,7 +816,7 @@ return false; -- no relative URLs end if app_type == "native" then - return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https"; + return uri.scheme == "http" and loopbacks:contains(uri.host) or redirect_uri == oob_uri or uri.scheme:find(".", 1, true) ~= nil; elseif app_type == "web" then return uri.scheme == "https" and uri.host == client_uri.host; end