mod_http_oauth2: Reject URLs with 'userinfo' part (thanks mimi89999) The LuaSocket parser supports these but they're deprecated without replacement by RFC 3986 > Use of the format "user:password" in the userinfo field is deprecated Allowing it in OAuth2 URLs is probably bad from a security perspective.

module:hook("authentication-success", function (event)
	local session = event.session;
	local sasl_handler = session and session.sasl_handler;
	local log = session and session.log or module._log
	log("info", "Authenticated with %s", sasl_handler and sasl_handler.selected or "legacy auth");
end);