# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1683037385 -7200
# Node ID c574aaaa4d573f2734ffc71f452b63c2d7761c55
# Parent  fbf3ede7541b113aa694f6c04b1918b577e4e768
mod_http_oauth2: Simplify validation of various URIs

Why: diffstat

How: Reuse of the redirect_uri_allowed() function

diff -r fbf3ede7541b -r c574aaaa4d57 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:22:17 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:23:05 2023 +0200
@@ -766,12 +766,8 @@
 
 	for field, prop_schema in pairs(registration_schema.properties) do
 		if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then
-			local components = url.parse(client_metadata[field]);
-			if components.scheme ~= "https" then
-				return nil, oauth_error("invalid_client_metadata", "Insecure URI forbidden");
-			end
-			if components.authority ~= client_uri.authority then
-				return nil, oauth_error("invalid_client_metadata", "Informative URIs must have the same hostname");
+			if not redirect_uri_allowed(client_metadata[field], client_uri, "web") then
+				return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI");
 			end
 		end
 	end
@@ -779,11 +775,8 @@
 	-- Localized URIs should be secure too
 	for k, v in pairs(client_metadata) do
 		if k:find"_uri#" then
-			local uri = url.parse(v);
-			if not uri or uri.scheme ~= "https" then
-				return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure "..k);
-			elseif uri.host ~= client_uri.host then
-				return nil, oauth_error("invalid_client_metadata", "All URIs must use the same hostname as client_uri");
+			if not redirect_uri_allowed(v, client_uri, "web") then
+				return nil, oauth_error("invalid_client_metadata", "Invalid, insecure or inappropriate informative URI");
 			end
 		end
 	end