# HG changeset patch # User Matthew Wild # Date 1678098554 0 # Node ID 942f8a2f722dff73c8303eb4e3287d9c1bd75494 # Parent aaa64c647e1271ed86cc55b191a637df0e08ea7f mod_http_oauth2: Allow non-HTTPS on localhost URLs This is the recommended behaviour (draft-ietf-oauth-v2-1-07 section 7.5.1). diff -r aaa64c647e12 -r 942f8a2f722d mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Mon Mar 06 09:46:58 2023 +0000 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Mar 06 10:29:14 2023 +0000 @@ -11,6 +11,7 @@ local base64 = encodings.base64; local random = require "util.random"; local schema = require "util.jsonschema"; +local set = require "util.set"; local jwt = require"util.jwt"; local it = require "util.iterators"; local array = require "util.array"; @@ -114,6 +115,12 @@ return (module:http_url(nil, "/"):gsub("/$", "")); end +local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" }); +local function is_secure_redirect(uri) + local u = url.parse(uri); + return u.scheme ~= "http" or loopbacks:contains(u.host); +end + local function oauth_error(err_name, err_desc) return errors.new({ type = "modify"; @@ -378,7 +385,7 @@ local function error_response(request, err) local q = request.url.query and http.formdecode(request.url.query); local redirect_uri = q and q.redirect_uri; - if not redirect_uri or not redirect_uri:match("^https://") then + if not redirect_uri or not is_safe_redirect(redirect_uri) then module:log("warn", "Missing or invalid redirect_uri <%s>, rendering error to user-agent", redirect_uri or ""); return render_page(templates.error, { error = err }); end