# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1679432558 -3600
# Node ID f845c218e52ca98db4ab01da67ecdd24efa6c42e
# Parent  d3ebaef1ea7a531f9a30ebbf3fa815883a2ead37
mod_http_oauth2: Allow revoking a token without OAuth client credentials

If you have a valid token, and you're not supposed to have it, revoking
it seems the most responsible thing to do with it, so it should be
allowed, while if you are supposed to have it, you should also be
allowed to revoke it.

diff -r d3ebaef1ea7a -r f845c218e52c mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 21 21:57:18 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 21 22:02:38 2023 +0100
@@ -570,20 +570,20 @@
 
 local function handle_revocation_request(event)
 	local request, response = event.request, event.response;
-	if not request.headers.authorization then
-		response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
-		return 401;
-	elseif request.headers.content_type ~= "application/x-www-form-urlencoded"
+		if request.headers.content_type ~= "application/x-www-form-urlencoded"
 	or not request.body or request.body == "" then
 		return 400;
 	end
-	local credentials = get_request_credentials(request);
-	if not credentials or credentials.type ~= "basic" then
-		return 400;
-	end
-	-- OAuth "client" credentials
-	if not verify_client_secret(credentials.username, credentials.password) then
-		return 401;
+	if request.headers.authorization then
+		local credentials = get_request_credentials(request);
+		if not credentials or credentials.type ~= "basic" then
+			response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
+			return 401;
+		end
+		-- OAuth "client" credentials
+		if not verify_client_secret(credentials.username, credentials.password) then
+			return 401;
+		end
 	end
 
 	local form_data = http.formdecode(event.request.body);