prosody-modules
a44af1b646f5
mod_http_oauth2/mod_http_oauth2.lua
Software / code / prosody-modules
Comparison
mod_http_oauth2/mod_http_oauth2.lua @ 5644:a44af1b646f5
mod_http_oauth2: Optionally enforce authentication on revocation endpoint
But why do OAuth require this? If a token leaks, why couldn't anyone
revoke it?
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 31 Jul 2023 02:07:58 +0200 |
| parent | 5626:81042c2a235a |
| child | 5646:9aace51c3637 |
comparison
equal
deleted
inserted
replaced
| 5643:e86a1018cdb3 | 5644:a44af1b646f5 |
|---|---|
| 1039 }); | 1039 }); |
| 1040 }; | 1040 }; |
| 1041 } | 1041 } |
| 1042 end | 1042 end |
| 1043 | 1043 |
| 1044 local strict_auth_revoke = module:get_option_boolean("oauth2_require_auth_revoke", false); | |
| 1045 | |
| 1044 local function handle_revocation_request(event) | 1046 local function handle_revocation_request(event) |
| 1045 local request, response = event.request, event.response; | 1047 local request, response = event.request, event.response; |
| 1046 response.headers.cache_control = "no-store"; | 1048 response.headers.cache_control = "no-store"; |
| 1047 response.headers.pragma = "no-cache"; | 1049 response.headers.pragma = "no-cache"; |
| 1048 if request.headers.authorization then | 1050 if request.headers.authorization then |
| 1053 end | 1055 end |
| 1054 -- OAuth "client" credentials | 1056 -- OAuth "client" credentials |
| 1055 if not verify_client_secret(credentials.username, credentials.password) then | 1057 if not verify_client_secret(credentials.username, credentials.password) then |
| 1056 return 401; | 1058 return 401; |
| 1057 end | 1059 end |
| 1060 -- TODO check that it's their token I guess? | |
| 1061 elseif strict_auth_revoke then | |
| 1062 -- Why require auth to revoke a leaked token? | |
| 1063 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); | |
| 1064 return 401; | |
| 1058 end | 1065 end |
| 1059 | 1066 |
| 1060 local form_data = strict_formdecode(event.request.body); | 1067 local form_data = strict_formdecode(event.request.body); |
| 1061 if not form_data or not form_data.token then | 1068 if not form_data or not form_data.token then |
| 1062 response.headers.accept = "application/x-www-form-urlencoded"; | 1069 response.headers.accept = "application/x-www-form-urlencoded"; |
