mod_http_oauth2: Limit revocation to clients own tokens in strict mode RFC 7009 section 2.1 states: > The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token was > issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed of > the error by the authorization server as described below. The first part was already covered (in strict mode). This adds the later part using the hash of client_id recorded in 0860497152af It still seems weird to me that revoking a leaked token should not be allowed whoever might have discovered it, as that seems the responsible thing to do.

local io_open = io.open;
local dm = require "core.storagemanager".olddm;

-- Append a blob of data to a file
function dm.append_raw(username, host, datastore, ext, data)
	if type(data) ~= "string" then return; end
	local filename = dm.getpath(username, host, datastore, ext, true);

	local ok;
	local f, msg = io_open(filename, "r+");
	if not f then
		-- File did probably not exist, let's create it
		f, msg = io_open(filename, "w");
		if not f then
			return nil, msg, "open";
		end
	end

	local pos = f:seek("end");

	ok, msg = f:write(data);
	if not ok then
		f:close();
		return ok, msg, "write";
	end

	ok, msg = f:close();
	if not ok then
		return ok, msg;
	end

	return true, pos;
end