view mod_invites_tracking/mod_invites_tracking.lua @ 5404:1087f697c3f3

mod_http_oauth2: Strip unknown extra fields from client registration We shouldn't sign things we don't understand! RFC 7591 section-2 states: > The authorization server MUST ignore any client metadata sent by the > client that it does not understand (for instance, by silently removing > unknown metadata from the client's registration record during > processing). Prevents grandfathering in of unvalidated data that might become used later, especially since the 'additionalProperties' schema keyword was removed in 698fef74ce53
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:23:40 +0200
parents 32f1f18f4874
children cb3b2fbf57e7
line wrap: on
line source

local tracking_store = module:open_store("invites_tracking");

module:hook("user-registered", function(event)
	local validated_invite = event.validated_invite or (event.session and event.session.validated_invite);
	local new_username = event.username;

	local invite_id = nil;
	local invite_source = nil;
	if validated_invite then
		invite_source = validated_invite.additional_data and validated_invite.additional_data.source;
		invite_id = validated_invite.token;
	end

	tracking_store:set(new_username, {invite_id = validated_invite.token, invite_source = invite_source});
	module:log("debug", "recorded that invite from %s was used to create %s", invite_source, new_username)
end);

-- " " is an invalid localpart -> we can safely use it for store metadata
tracking_store:set(" ", {version="1"});