Mercurial > prosody-modules
view mod_atom/mod_atom.lua @ 5682:527c747711f3
mod_http_oauth2: Limit revocation to clients own tokens in strict mode
RFC 7009 section 2.1 states:
> The authorization server first validates the client credentials (in
> case of a confidential client) and then verifies whether the token was
> issued to the client making the revocation request. If this
> validation fails, the request is refused and the client is informed of
> the error by the authorization server as described below.
The first part was already covered (in strict mode). This adds the later
part using the hash of client_id recorded in 0860497152af
It still seems weird to me that revoking a leaked token should not be
allowed whoever might have discovered it, as that seems the responsible
thing to do.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 29 Oct 2023 11:30:49 +0100 |
parents | 5dd505c39c4b |
children |
line wrap: on
line source
-- HTTP Access to PEP -> microblog -- By Kim Alvefur <zash@zash.se> local mod_pep = module:depends"pep"; local um = require "core.usermanager"; local nodeprep = require "util.encodings".stringprep.nodeprep; local st = require "util.stanza"; local urlencode = require "util.http".urlencode; module:depends("http") module:provides("http", { route = { ["GET /*"] = function (event, user) if user == "" then return [[<h1>Hello from mod_atom</h1><p>This module provides access to public microblogs of local users.</p>]]; end; local request, response = event.request, event.response; local actor = request.ip; local prepped = nodeprep(user); if not prepped then return 400; end if prepped ~= user then response.headers.location = module:http_url() .. "/" .. urlencode(prepped); return 302; end if not um.user_exists(user, module.host) then return 404; end local pubsub_service = mod_pep.get_pep_service(user); local ok, items = pubsub_service:get_items("urn:xmpp:microblog:0", actor); if ok then response.headers.content_type = "application/xml"; local feed = st.stanza("feed", { xmlns = "http://www.w3.org/2005/Atom" }) :text_tag("generator", "Prosody", { uri = "xmpp:prosody.im", version = prosody.version }) :text_tag("title", pubsub_service.nodes["urn:xmpp:microblog:0"].config.title or "Microblog feed") :text_tag("subtitle", pubsub_service.nodes["urn:xmpp:microblog:0"].config.description) :tag("author") :text_tag("name", user) :text_tag("preferredUsername", user, { xmlns = "http://portablecontacts.net/spec/1.0" }); local ok, _, nick = pubsub_service:get_last_item("http://jabber.org/protocol/nick", actor); if ok and nick then feed:text_tag("displayName", nick.tags[1][1], { xmlns = "http://portablecontacts.net/spec/1.0" }); end feed:reset(); for i = #items, 1, -1 do feed:add_direct_child(items[items[i]].tags[1]); end return tostring(feed); elseif items == "forbidden" then return 403; elseif items == "item-not-found" then return 404; end end; } });