# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1678569950 -3600
# Node ID 65892dd1d4ae040885068a15b10647efb85acd6e
# Parent  001908044d0d0fa9a70a16d1a77493145d6aca67
mod_http_oauth2: Reject insecure redirect URIs

Is this enough, or are they going to be using ftp:// and gopher://?

diff -r 001908044d0d -r 65892dd1d4ae mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:25:22 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:25:50 2023 +0100
@@ -604,6 +604,8 @@
 		local components = url.parse(redirect_uri);
 		if not components or not components.scheme then
 			return oauth_error("invalid_request", "Invalid redirect URI.");
+		elseif components.scheme == "http" and components.host ~= "localhost" then
+			return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)");
 		end
 	end