mod_http_oauth2: Limit revocation to clients own tokens in strict mode RFC 7009 section 2.1 states: > The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token was > issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed of > the error by the authorization server as described below. The first part was already covered (in strict mode). This adds the later part using the hash of client_id recorded in 0860497152af It still seems weird to me that revoking a leaked token should not be allowed whoever might have discovered it, as that seems the responsible thing to do.

local jid = require "util.jid";
local st = require "util.stanza";

local local_rooms = module:get_option_inherited_set("muc_local_only", {});

module:hook("muc-occupant-pre-join", function (event)
	local room = event.room;
	if not local_rooms:contains(room.jid) then
		return; -- Not a protected room, ignore
	end
	local user_jid = event.occupant.bare_jid;
	local user_host = jid.host(user_jid);
	if not prosody.hosts[user_host] then
		local error_reply = st.error_reply(event.stanza, "cancel", "forbidden", "This group is only available to local users", room.jid);
		event.origin.send(error_reply);
		return true;
	end
	room:set_affiliation(true, user_jid, "member", "Granting access to local user");
end);