Mercurial > prosody-modules
changeset 5246:fd0d25b42cd9
mod_http_oauth2: Validate all URIs against client_uri in client registration
Validating against all redirect URIs didn't work for OOB-only clients,
which happens to be what I was testing with.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 12 Mar 2023 12:06:44 +0100 (22 months ago) |
parents | e22cae58141d |
children | dc27b997e969 |
files | mod_http_oauth2/mod_http_oauth2.lua |
diffstat | 1 files changed, 10 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Sun Mar 12 11:27:29 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Mar 12 12:06:44 2023 +0100 @@ -600,26 +600,30 @@ return oauth_error("invalid_request", "Failed schema validation."); end - local redirect_hosts = set.new(); + local client_uri = url.parse(client_metadata.client_uri); + if not client_uri or client_uri.scheme ~= "https" then + return oauth_error("invalid_request", "Missing, invalid or insecure client_uri"); + end + for _, redirect_uri in ipairs(client_metadata.redirect_uris) do local components = url.parse(redirect_uri); if not components or not components.scheme then return oauth_error("invalid_request", "Invalid redirect URI."); elseif components.scheme == "http" and components.host ~= "localhost" then return oauth_error("invalid_request", "Insecure redirect URI forbidden (except http://localhost)"); - elseif components.scheme == "https" then - redirect_hosts:add(components.host); + elseif components.scheme == "https" and components.host ~= client_uri.host then + return oauth_error("invalid_request", "Redirects must use the same hostname as client_uri"); end end for field, prop_schema in pairs(registration_schema.properties) do - if prop_schema.format == "uri" and client_metadata[field] then + if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then local components = url.parse(client_metadata[field]); if components.scheme ~= "https" then return oauth_error("invalid_request", "Insecure URI forbidden"); end - if not redirect_hosts:contains(components.host) then - return oauth_error("invalid_request", "Informative URI must match redirect URIs"); + if components.authority ~= client_uri.authority then + return oauth_error("invalid_request", "Informative URIs must have the same hostname"); end end end