# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1683037255 -7200
# Node ID c8d04ac200fc4b04a5b04585fe2e43855927bf5c
# Parent  71766a4a7322e26ee30ab443a028ae41b651a474
mod_http_oauth2: Reject loopback URIs as client_uri

This really should be a proper website with info, https://localhost is
not good enough. Ideally we'd validate that it's got proper DNS and is
actually reachable, but triggering HTTP or even DNS lookups seems like
it would carry abuse potential that would best to avoid.

diff -r 71766a4a7322 -r c8d04ac200fc mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:14:22 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue May 02 16:20:55 2023 +0200
@@ -754,7 +754,7 @@
 	end
 
 	local client_uri = url.parse(client_metadata.client_uri);
-	if not client_uri or client_uri.scheme ~= "https" then
+	if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then
 		return nil, oauth_error("invalid_request", "Missing, invalid or insecure client_uri");
 	end