# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1678099063 0
# Node ID 898575a0c6f3f6a494231b962801d256545f18f7
# Parent  942f8a2f722dff73c8303eb4e3287d9c1bd75494
mod_http_oauth2: Switch to '303 See Other' redirects

This is the recommendation by draft-ietf-oauth-v2-1-07 section 7.5.2. It is
the only redirect code that guarantees the user agent will use a GET request,
rather than re-submitting a POST request to the new URL.

The latter would be bad for us, as we are encoding auth tokens in the form
data.

diff -r 942f8a2f722d -r 898575a0c6f3 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Mar 06 10:29:14 2023 +0000
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Mar 06 10:37:43 2023 +0000
@@ -211,7 +211,7 @@
 	redirect.query = http.formencode(query);
 
 	return {
-		status_code = 302;
+		status_code = 303;
 		headers = {
 			location = url.build(redirect);
 		};
@@ -229,7 +229,7 @@
 	redirect.fragment = http.formencode(token_info);
 
 	return {
-		status_code = 302;
+		status_code = 303;
 		headers = {
 			location = url.build(redirect);
 		};
@@ -396,7 +396,7 @@
 		.. "&" .. http.formencode({ state = q.state, iss = get_issuer() });
 	module:log("warn", "Sending error response to client via redirect to %s", redirect_uri);
 	return {
-		status_code = 302;
+		status_code = 303;
 		headers = {
 			location = redirect_uri;
 		};