changeset 5267:60e0bc35de33

mod_http_oauth2: Relax payload content type checking in revocation The code expected Content-Type: application/x-www-form-urlencoded HTTPie sent Content-Type: application/x-www-form-urlencoded; charset=utf-8 It did not work
author Kim Alvefur <zash@zash.se>
date Tue, 21 Mar 2023 22:29:47 +0100
parents 5943605201ca
children bac39c6e7203
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 3 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 21 22:23:28 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 21 22:29:47 2023 +0100
@@ -548,10 +548,6 @@
 
 local function handle_revocation_request(event)
 	local request, response = event.request, event.response;
-		if request.headers.content_type ~= "application/x-www-form-urlencoded"
-	or not request.body or request.body == "" then
-		return 400;
-	end
 	if request.headers.authorization then
 		local credentials = get_request_credentials(request);
 		if not credentials or credentials.type ~= "basic" then
@@ -564,9 +560,10 @@
 		end
 	end
 
-	local form_data = http.formdecode(event.request.body);
+	local form_data = http.formdecode(event.request.body or "");
 	if not form_data or not form_data.token then
-		return 400;
+		response.headers.accept = "application/x-www-form-urlencoded";
+		return 415;
 	end
 	local ok, err = tokens.revoke_token(form_data.token);
 	if not ok then