# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1683037885 -7200
# Node ID c7a5caad28ef6df3e1ce08d7d8af5a65b48c15b8
# Parent  1087f697c3f34f7750cc5770003fa4b5eb95f2b0
mod_http_oauth2: Enforce response type encoded in client_id

The client promises to only use this response type, so we should hold
them to that.

This makes it fail earlier if the response type is disabled or the
client is trying to use one that it promised not to use.  Better than
failing after login and consent.

diff -r 1087f697c3f3 -r c7a5caad28ef mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:23:40 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:31:25 2023 +0200
@@ -620,6 +620,12 @@
 		return oauth_error("invalid_client", "incorrect credentials");
 	end
 
+	local client_response_types = set.new(array(client.response_types or { "code" }));
+	client_response_types = set.intersection(client_response_types, allowed_response_type_handlers);
+	if not client_response_types:contains(params.response_type) then
+		return oauth_error("invalid_client", "response_type not allowed");
+	end
+
 	local auth_state = get_auth_state(request);
 	if not auth_state.user then
 		-- Render login page