Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5420:aa068449b0b6

mod_http_oauth2: Bail out of implicit flow on invalid or missing redirect Probably hasn't been tested, and maybe never will since it's disabled and more or less deprecated in OAuth 2.1
author Kim Alvefur <zash@zash.se>
date Sat, 06 May 2023 12:23:22 +0200
parent 5419:a0333176303c
child 5423:5b2352dda31f
comparison
equal deleted inserted replaced
5419:a0333176303c 5420:aa068449b0b6
335 end 335 end
336 local granted_scopes, granted_role = filter_scopes(request_username, params.scope); 336 local granted_scopes, granted_role = filter_scopes(request_username, params.scope);
337 local token_info = new_access_token(granted_jid, granted_role, granted_scopes, client, nil); 337 local token_info = new_access_token(granted_jid, granted_role, granted_scopes, client, nil);
338 338
339 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri)); 339 local redirect = url.parse(get_redirect_uri(client, params.redirect_uri));
340 if not redirect then return 400; end
340 token_info.state = params.state; 341 token_info.state = params.state;
341 redirect.fragment = http.formencode(token_info); 342 redirect.fragment = http.formencode(token_info);
342 343
343 return { 344 return {
344 status_code = 303; 345 status_code = 303;