# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1684412711 -7200
# Node ID af105c7a24b28de839cd049c4a2a1ca8674774f1
# Parent  5986e0edd7a398c1e3256bc04bc1fa728578777f
mod_http_oauth2: Always render errors as HTML for OOB redirect URI

No invalid or insecure redirect URIs should make it to this point, so
the warning can be removed.

diff -r 5986e0edd7a3 -r af105c7a24b2 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu May 18 14:17:58 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu May 18 14:25:11 2023 +0200
@@ -180,10 +180,6 @@
 local oob_uri = "urn:ietf:wg:oauth:2.0:oob";
 
 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" });
-local function is_secure_redirect(uri)
-	local u = url.parse(uri);
-	return u.scheme ~= "http" or loopbacks:contains(u.host);
-end
 
 local function oauth_error(err_name, err_desc)
 	return errors.new({
@@ -607,8 +603,7 @@
 -- the redirect_uri is missing or invalid. In those cases, we render an
 -- error directly to the user-agent.
 local function error_response(request, redirect_uri, err)
-	if not redirect_uri or not is_secure_redirect(redirect_uri) then
-		module:log("warn", "Missing or invalid redirect_uri %q, rendering error to user-agent", redirect_uri);
+	if not redirect_uri or redirect_uri == oob_uri then
 		return render_error(err);
 	end
 	local q = request.url.query and http.formdecode(request.url.query);