changeset 5420:aa068449b0b6

mod_http_oauth2: Bail out of implicit flow on invalid or missing redirect Probably hasn't been tested, and maybe never will since it's disabled and more or less deprecated in OAuth 2.1
author Kim Alvefur <zash@zash.se>
date Sat, 06 May 2023 12:23:22 +0200
parents a0333176303c
children a58ba20b3a71
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 1 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri May 05 21:32:34 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat May 06 12:23:22 2023 +0200
@@ -337,6 +337,7 @@
 	local token_info = new_access_token(granted_jid, granted_role, granted_scopes, client, nil);
 
 	local redirect = url.parse(get_redirect_uri(client, params.redirect_uri));
+	if not redirect then return 400; end
 	token_info.state = params.state;
 	redirect.fragment = http.formencode(token_info);