mod_http_oauth2: Limit revocation to clients own tokens in strict mode RFC 7009 section 2.1 states: > The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token was > issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed of > the error by the authorization server as described below. The first part was already covered (in strict mode). This adds the later part using the hash of client_id recorded in 0860497152af It still seems weird to me that revoking a leaked token should not be allowed whoever might have discovered it, as that seems the responsible thing to do.

module:set_global();

local tostring = tostring;
local filters = require "util.filters";

local function log_send(t, session)
	if t and t ~= "" and t ~= " " then
		session.log("debug", "SEND(%d): %s", #t, tostring(t));
	end
	return t;
end

local function log_recv(t, session)
	if t and t ~= "" and t ~= " " then
		session.log("debug", "RECV(%d): %s", #t, tostring(t));
	end
	return t;
end

local function init_raw_logging(session)
	filters.add_filter(session, "bytes/in",  log_recv, -10000);
	filters.add_filter(session, "bytes/out", log_send,  10000);
end

filters.add_filter_hook(init_raw_logging);

function module.unload() -- luacheck: ignore
	filters.remove_filter_hook(init_raw_logging);
end