Mercurial > prosody-modules
diff mod_http_oauth2/mod_http_oauth2.lua @ 5626:a44af1b646f5
mod_http_oauth2: Optionally enforce authentication on revocation endpoint
But why do OAuth require this? If a token leaks, why couldn't anyone
revoke it?
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Mon, 31 Jul 2023 02:07:58 +0200 |
parents | 81042c2a235a |
children | 9aace51c3637 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Mon Jul 31 02:07:24 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Jul 31 02:07:58 2023 +0200 @@ -1041,6 +1041,8 @@ } end +local strict_auth_revoke = module:get_option_boolean("oauth2_require_auth_revoke", false); + local function handle_revocation_request(event) local request, response = event.request, event.response; response.headers.cache_control = "no-store"; @@ -1055,6 +1057,11 @@ if not verify_client_secret(credentials.username, credentials.password) then return 401; end + -- TODO check that it's their token I guess? + elseif strict_auth_revoke then + -- Why require auth to revoke a leaked token? + response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); + return 401; end local form_data = strict_formdecode(event.request.body);