Software `/` code `/` prosody-modules

Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5209:942f8a2f722d

mod_http_oauth2: Allow non-HTTPS on localhost URLs This is the recommended behaviour (draft-ietf-oauth-v2-1-07 section 7.5.1).

author	Matthew Wild <mwild1@gmail.com>
date	Mon, 06 Mar 2023 10:29:14 +0000
parent	5208:aaa64c647e12
child	5210:898575a0c6f3

comparison

equal deleted inserted replaced

-:aaa64c647e12
+:942f8a2f722d
 local uuid = require "util.uuid";
 local encodings = require "util.encodings";
 local base64 = encodings.base64;
 local random = require "util.random";
 local schema = require "util.jsonschema";
+local set = require "util.set";
 local jwt = require"util.jwt";
 local it = require "util.iterators";
 local array = require "util.array";
 local st = require "util.stanza";
 	return code and code_expires_in(code) + 1 or 900;
 end)
 local function get_issuer()
 	return (module:http_url(nil, "/"):gsub("/$", ""));
+end
+local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" });
+local function is_secure_redirect(uri)
+	local u = url.parse(uri);
+	return u.scheme ~= "http" or loopbacks:contains(u.host);
 end
 local function oauth_error(err_name, err_desc)
 	return errors.new({
 		type = "modify";
 -- the redirect_uri is missing or invalid. In those cases, we render an
 -- error directly to the user-agent.
 local function error_response(request, err)
 	local q = request.url.query and http.formdecode(request.url.query);
 	local redirect_uri = q and q.redirect_uri;
-	if not redirect_uri or not redirect_uri:match("^https://") then
+	if not redirect_uri or not is_safe_redirect(redirect_uri) then
 		module:log("warn", "Missing or invalid redirect_uri <%s>, rendering error to user-agent", redirect_uri or "");
 		return render_page(templates.error, { error = err });
 	end
 	local redirect_query = url.parse(redirect_uri);
 	local sep = redirect_query and "&" or "?";

prosody-modules

942f8a2f722d

mod_http_oauth2/mod_http_oauth2.lua

Software / code / prosody-modules

Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5209:942f8a2f722d

Software `/` code `/` prosody-modules