Mercurial > prosody-modules
changeset 5357:eda3b078ba2c
mod_http_oauth2: Validate (unused at this point) localized URIs
Client registration may include keys of the form "some_uri#lang-code"
pointing to alternate language versions of the various URIs. We don't
use this yet but the same validation should apply.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 22 Apr 2023 14:02:56 +0200 |
| parents | 959dc350f2ad |
| children | 0905d348bd34 |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 13 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Sat Apr 22 14:06:41 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Apr 22 14:02:56 2023 +0200 @@ -670,6 +670,7 @@ software_version = { type = "string" }; }; -- Localized versions of descriptive properties and URIs + patternProperties = { ["^[a-z_]+_uri#"] = { type = "string"; format = "uri"; pattern = "^https:" } }; additionalProperties = { type = "string" }; } @@ -706,6 +707,18 @@ end end + -- Localized URIs should be secure too + for k, v in pairs(client_metadata) do + if k:find"_uri#" then + local uri = url.parse(v); + if not uri or uri.scheme ~= "https" then + return nil, oauth_error("invalid_request", "Missing, invalid or insecure "..k); + elseif uri.host ~= client_uri.host then + return nil, oauth_error("invalid_request", "All URIs must use the same hostname as client_uri"); + end + end + end + -- Ensure each signed client_id JWT is unique, short ID and issued at -- timestamp should be sufficient to rule out brute force attacks client_metadata.nonce = id.short();