Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5209:942f8a2f722d

mod_http_oauth2: Allow non-HTTPS on localhost URLs This is the recommended behaviour (draft-ietf-oauth-v2-1-07 section 7.5.1).
author Matthew Wild <mwild1@gmail.com>
date Mon, 06 Mar 2023 10:29:14 +0000
parent 5208:aaa64c647e12
child 5210:898575a0c6f3
comparison
equal deleted inserted replaced
5208:aaa64c647e12 5209:942f8a2f722d
9 local uuid = require "util.uuid"; 9 local uuid = require "util.uuid";
10 local encodings = require "util.encodings"; 10 local encodings = require "util.encodings";
11 local base64 = encodings.base64; 11 local base64 = encodings.base64;
12 local random = require "util.random"; 12 local random = require "util.random";
13 local schema = require "util.jsonschema"; 13 local schema = require "util.jsonschema";
14 local set = require "util.set";
14 local jwt = require"util.jwt"; 15 local jwt = require"util.jwt";
15 local it = require "util.iterators"; 16 local it = require "util.iterators";
16 local array = require "util.array"; 17 local array = require "util.array";
17 local st = require "util.stanza"; 18 local st = require "util.stanza";
18 19
110 return code and code_expires_in(code) + 1 or 900; 111 return code and code_expires_in(code) + 1 or 900;
111 end) 112 end)
112 113
113 local function get_issuer() 114 local function get_issuer()
114 return (module:http_url(nil, "/"):gsub("/$", "")); 115 return (module:http_url(nil, "/"):gsub("/$", ""));
116 end
117
118 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" });
119 local function is_secure_redirect(uri)
120 local u = url.parse(uri);
121 return u.scheme ~= "http" or loopbacks:contains(u.host);
115 end 122 end
116 123
117 local function oauth_error(err_name, err_desc) 124 local function oauth_error(err_name, err_desc)
118 return errors.new({ 125 return errors.new({
119 type = "modify"; 126 type = "modify";
376 -- the redirect_uri is missing or invalid. In those cases, we render an 383 -- the redirect_uri is missing or invalid. In those cases, we render an
377 -- error directly to the user-agent. 384 -- error directly to the user-agent.
378 local function error_response(request, err) 385 local function error_response(request, err)
379 local q = request.url.query and http.formdecode(request.url.query); 386 local q = request.url.query and http.formdecode(request.url.query);
380 local redirect_uri = q and q.redirect_uri; 387 local redirect_uri = q and q.redirect_uri;
381 if not redirect_uri or not redirect_uri:match("^https://") then 388 if not redirect_uri or not is_safe_redirect(redirect_uri) then
382 module:log("warn", "Missing or invalid redirect_uri <%s>, rendering error to user-agent", redirect_uri or ""); 389 module:log("warn", "Missing or invalid redirect_uri <%s>, rendering error to user-agent", redirect_uri or "");
383 return render_page(templates.error, { error = err }); 390 return render_page(templates.error, { error = err });
384 end 391 end
385 local redirect_query = url.parse(redirect_uri); 392 local redirect_query = url.parse(redirect_uri);
386 local sep = redirect_query and "&" or "?"; 393 local sep = redirect_query and "&" or "?";