# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1682867807 -7200
# Node ID 434ee49b04def053f5a8d4750ae86509a2afff66
# Parent  9b9d612f9083fa4b58145c3200604fa425e6e53a
mod_http_oauth2: Allow loopback IP literals in redirect URIs

Previously only exactly "http://localhost" was allowed, but RFC 8252
seems to recommend both ::1 and 127.0.0.1 be allowed.

diff -r 9b9d612f9083 -r 434ee49b04de mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sun Apr 30 16:58:53 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun Apr 30 17:16:47 2023 +0200
@@ -729,7 +729,7 @@
 local function redirect_uri_allowed(redirect_uri, client_uri, app_type)
 	local uri = url.parse(redirect_uri);
 	if app_type == "native" then
-		return uri.scheme == "http" and uri.host == "localhost" or uri.scheme ~= "https";
+		return uri.scheme == "http" and loopbacks:contains(uri.host) or uri.scheme ~= "https";
 	elseif app_type == "web" then
 		return uri.scheme == "https" and uri.host == client_uri.host;
 	end