Software /
code /
prosody-modules
Comparison
mod_http_oauth2/mod_http_oauth2.lua @ 5475:022733437fef
mod_http_oauth2: Validate redirect_uri before using it for error redirects
To be extra sure that it is safe to use in redirects from this point on.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 18 May 2023 14:02:09 +0200 |
parent | 5474:d0b93105b289 |
child | 5476:575f52b15f5a |
comparison
equal
deleted
inserted
replaced
5474:d0b93105b289 | 5475:022733437fef |
---|---|
700 local ok, client = verify_client(params.client_id); | 700 local ok, client = verify_client(params.client_id); |
701 | 701 |
702 if not ok then | 702 if not ok then |
703 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter")); | 703 return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter")); |
704 end | 704 end |
705 | |
706 if not get_redirect_uri(client, params.redirect_uri) then | |
707 return render_error(oauth_error("invalid_request", "Invalid 'redirect_uri' parameter")); | |
708 end | |
709 -- From this point we know that redirect_uri is safe to use | |
705 | 710 |
706 local client_response_types = set.new(array(client.response_types or { "code" })); | 711 local client_response_types = set.new(array(client.response_types or { "code" })); |
707 client_response_types = set.intersection(client_response_types, allowed_response_type_handlers); | 712 client_response_types = set.intersection(client_response_types, allowed_response_type_handlers); |
708 if not client_response_types:contains(params.response_type) then | 713 if not client_response_types:contains(params.response_type) then |
709 return error_response(request, oauth_error("invalid_client", "'response_type' not allowed")); | 714 return error_response(request, oauth_error("invalid_client", "'response_type' not allowed")); |