Mercurial > prosody-modules
view mod_strict_https/mod_strict_https.lua @ 5185:09d6bbd6c8a4
mod_http_oauth2: Fix treatment of 'redirect_uri' parameter in code flow
It's optional and the one stored in the client registration should
really be used instead. RFC 6749 says an URI provided as parameter MUST
be validated against the stored one but does not say how.
Given that the client needs their secret to proceed, it seems fine to
leave this for later.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 02 Mar 2023 22:00:42 +0100 |
| parents | efa9c1676d1f |
| children | b3158647cb36 |
line wrap: on
line source
-- HTTP Strict Transport Security -- https://tools.ietf.org/html/rfc6797 module:set_global(); local http_server = require "net.http.server"; local hsts_header = module:get_option_string("hsts_header", "max-age=31556952"); -- This means "Don't even try to access without HTTPS for a year" local _old_send_response; local _old_fire_event; local modules = {}; function module.load() _old_send_response = http_server.send_response; function http_server.send_response(response, body) response.headers.strict_transport_security = hsts_header; return _old_send_response(response, body); end _old_fire_event = http_server._events.fire_event; function http_server._events.fire_event(event, payload) local request = payload.request; local host = event:match("^[A-Z]+ ([^/]+)"); local module = modules[host]; if module and not request.secure then payload.response.headers.location = module:http_url(request.path); return 301; end return _old_fire_event(event, payload); end end function module.unload() http_server.send_response = _old_send_response; http_server._events.fire_event = _old_fire_event; end function module.add_host(module) local http_host = module:get_option_string("http_host", module.host); modules[http_host] = module; function module.unload() modules[http_host] = nil; end end