Mercurial > prosody-modules
diff mod_http_oauth2/mod_http_oauth2.lua @ 5403:c574aaaa4d57
mod_http_oauth2: Simplify validation of various URIs
Why: diffstat
How: Reuse of the redirect_uri_allowed() function
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 02 May 2023 16:23:05 +0200 |
parents | fbf3ede7541b |
children | 1087f697c3f3 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:22:17 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:23:05 2023 +0200 @@ -766,12 +766,8 @@ for field, prop_schema in pairs(registration_schema.properties) do if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then - local components = url.parse(client_metadata[field]); - if components.scheme ~= "https" then - return nil, oauth_error("invalid_client_metadata", "Insecure URI forbidden"); - end - if components.authority ~= client_uri.authority then - return nil, oauth_error("invalid_client_metadata", "Informative URIs must have the same hostname"); + if not redirect_uri_allowed(client_metadata[field], client_uri, "web") then + return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI"); end end end @@ -779,11 +775,8 @@ -- Localized URIs should be secure too for k, v in pairs(client_metadata) do if k:find"_uri#" then - local uri = url.parse(v); - if not uri or uri.scheme ~= "https" then - return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure "..k); - elseif uri.host ~= client_uri.host then - return nil, oauth_error("invalid_client_metadata", "All URIs must use the same hostname as client_uri"); + if not redirect_uri_allowed(v, client_uri, "web") then + return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI"); end end end