# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1678195159 0
# Node ID 25e824f64fd37384f1f6372d7fc777b93f27fc25
# Parent  1f4b768c831ad3d3bbda91954c2ee05fdeb75355
mod_http_oauth2: Improve handling of redirect_uri matching and fallback

Per OAuth 2.1, the client MUST provide a redirect_uri explicitly if it
registered multiple. If it only registered a single URI, it may be omitted
from the authorize request.

diff -r 1f4b768c831a -r 25e824f64fd3 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 07 13:14:25 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 07 13:19:19 2023 +0000
@@ -145,8 +145,17 @@
 end
 
 local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string
+	if not query_redirect_uri then
+		if #client.redirect_uris ~= 1 then
+			-- Client registered multiple URIs, it needs specify which one to use
+			return;
+		end
+		-- When only a single URI is registered, that's the default
+		return client.redirect_uris[1];
+	end
+	-- Verify the client-provided URI matches one previously registered
 	for _, redirect_uri in ipairs(client.redirect_uris) do
-		if query_redirect_uri == nil or query_redirect_uri == redirect_uri then
+		if query_redirect_uri == redirect_uri then
 			return redirect_uri
 		end
 	end
@@ -199,6 +208,8 @@
 			extra = code;
 		}) or ("Here's your authorization code:\n%s\n"):format(code);
 		return response;
+	elseif not redirect_uri then
+		return {status_code = 400};
 	end
 
 	local redirect = url.parse(redirect_uri);