Mercurial > prosody-modules
changeset 5242:4746609a6656
mod_http_oauth2: Validate that informative URLs match the redirect URIs
It is a bit shady to have the various URIs (URLs really) point to
different hostnames.
This may be quite stricter than required, but can always be relaxed
later.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 11 Mar 2023 22:31:02 +0100 (21 months ago) |
parents | 65892dd1d4ae |
children | d5dc8edb2695 |
files | mod_http_oauth2/mod_http_oauth2.lua |
diffstat | 1 files changed, 15 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:25:50 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:31:02 2023 +0100 @@ -600,12 +600,27 @@ return oauth_error("invalid_request", "Failed schema validation."); end + local redirect_hosts = set.new(); for _, redirect_uri in ipairs(client_metadata.redirect_uris) do local components = url.parse(redirect_uri); if not components or not components.scheme then return oauth_error("invalid_request", "Invalid redirect URI."); elseif components.scheme == "http" and components.host ~= "localhost" then return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); + elseif components.scheme == "https" then + redirect_hosts:add(components.host); + end + end + + for field, prop_schema in pairs(registration_schema) do + if prop_schema.format == "uri" and client_metadata[field] then + local components = url.parse(client_metadata[field]); + if components.scheme ~= "https" then + return oauth_error("invalid_request", "Insecure URI forbidden"); + end + if not redirect_hosts:contains(components.host) then + return oauth_error("invalid_request", "Informative URI must match redirect URIs"); + end end end