Mercurial > prosody-modules
changeset 5187:6a3c1febd7be
mod_http_oauth2: Add settings for allowed grant and response types
So that you can opt-in to the insecure methods...
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 02 Mar 2023 23:57:29 +0100 (21 months ago) |
parents | fa3059e653fa |
children | 7c531137a553 |
files | mod_http_oauth2/mod_http_oauth2.lua |
diffstat | 1 files changed, 15 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Thu Mar 02 22:06:50 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Thu Mar 02 23:57:29 2023 +0100 @@ -253,6 +253,21 @@ check_credentials = function () return false end end +local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {"authorization_code", "password"}) +for handler_type in pairs(grant_type_handlers) do + if not allowed_grant_type_handlers:contains(handler_type) then + grant_type_handlers[handler_type] = nil; + end +end + +-- "token" aka implicit flow is considered insecure +local allowed_response_type_handlers = module:get_option_set("allowed_oauth2_response_types", {"code"}) +for handler_type in pairs(allowed_response_type_handlers) do + if not allowed_grant_type_handlers:contains(handler_type) then + grant_type_handlers[handler_type] = nil; + end +end + function handle_token_grant(event) event.response.headers.content_type = "application/json"; local params = http.formdecode(event.request.body);