# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1698574815 -3600
# Node ID 8cb3da7df521fae119b41d3ecf3d6d7ed21df7d3
# Parent  b43c989fb69cd79fce2d3db9b6ca47d9ae186391
mod_http_oauth2: Restrict introspection to clients own tokens

The introspection code was added before the client hash was added in
0860497152af which allows connecting tokens to clients.

diff -r b43c989fb69c -r 8cb3da7df521 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu May 25 09:31:21 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun Oct 29 11:20:15 2023 +0100
@@ -1061,6 +1061,11 @@
 		return 401;
 	end
 
+	local client = check_client(credentials.username);
+	if not client then
+		return 401;
+	end
+
 	local form_data = http.formdecode(request.body or "=");
 	local token = form_data.token;
 	if not token then
@@ -1071,6 +1076,10 @@
 	if not token_info then
 		return { headers = { content_type = "application/json" }; body = json.encode { active = false } };
 	end
+	local token_client = token_info.grant.data.oauth2_client;
+	if not token_client or token_client.hash ~= client.client_hash then
+		return 403;
+	end
 
 	return {
 		headers = { content_type = "application/json" };
@@ -1083,7 +1092,7 @@
 			exp = token.expires;
 			iat = token.created;
 			sub = url.build({ scheme = "xmpp"; path = token_info.jid });
-			aud = nil;
+			aud = credentials.username;
 			iss = get_issuer();
 			jti = token_info.id;
 		};