Mercurial > prosody-modules
changeset 5420:aa068449b0b6
mod_http_oauth2: Bail out of implicit flow on invalid or missing redirect
Probably hasn't been tested, and maybe never will since it's disabled
and more or less deprecated in OAuth 2.1
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 06 May 2023 12:23:22 +0200 |
| parents | a0333176303c |
| children | a58ba20b3a71 |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 1 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Fri May 05 21:32:34 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat May 06 12:23:22 2023 +0200 @@ -337,6 +337,7 @@ local token_info = new_access_token(granted_jid, granted_role, granted_scopes, client, nil); local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); + if not redirect then return 400; end token_info.state = params.state; redirect.fragment = http.formencode(token_info);