prosody-modules
af105c7a24b2
mod_http_oauth2/mod_http_oauth2.lua
Software / code / prosody-modules
Comparison
mod_http_oauth2/mod_http_oauth2.lua @ 5478:af105c7a24b2
mod_http_oauth2: Always render errors as HTML for OOB redirect URI
No invalid or insecure redirect URIs should make it to this point, so
the warning can be removed.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 18 May 2023 14:25:11 +0200 |
| parent | 5477:5986e0edd7a3 |
| child | 5479:30e2722c9fa3 |
comparison
equal
deleted
inserted
replaced
| 5477:5986e0edd7a3 | 5478:af105c7a24b2 |
|---|---|
| 178 -- code to the user for them to copy-paste into the client, which can then | 178 -- code to the user for them to copy-paste into the client, which can then |
| 179 -- continue as if it received it via redirect. | 179 -- continue as if it received it via redirect. |
| 180 local oob_uri = "urn:ietf:wg:oauth:2.0:oob"; | 180 local oob_uri = "urn:ietf:wg:oauth:2.0:oob"; |
| 181 | 181 |
| 182 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" }); | 182 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" }); |
| 183 local function is_secure_redirect(uri) | |
| 184 local u = url.parse(uri); | |
| 185 return u.scheme ~= "http" or loopbacks:contains(u.host); | |
| 186 end | |
| 187 | 183 |
| 188 local function oauth_error(err_name, err_desc) | 184 local function oauth_error(err_name, err_desc) |
| 189 return errors.new({ | 185 return errors.new({ |
| 190 type = "modify"; | 186 type = "modify"; |
| 191 condition = "bad-request"; | 187 condition = "bad-request"; |
| 605 -- appending the error information to the redirect_uri and sending the | 601 -- appending the error information to the redirect_uri and sending the |
| 606 -- redirect to the user-agent. In some cases we can't do this, e.g. if | 602 -- redirect to the user-agent. In some cases we can't do this, e.g. if |
| 607 -- the redirect_uri is missing or invalid. In those cases, we render an | 603 -- the redirect_uri is missing or invalid. In those cases, we render an |
| 608 -- error directly to the user-agent. | 604 -- error directly to the user-agent. |
| 609 local function error_response(request, redirect_uri, err) | 605 local function error_response(request, redirect_uri, err) |
| 610 if not redirect_uri or not is_secure_redirect(redirect_uri) then | 606 if not redirect_uri or redirect_uri == oob_uri then |
| 611 module:log("warn", "Missing or invalid redirect_uri %q, rendering error to user-agent", redirect_uri); | |
| 612 return render_error(err); | 607 return render_error(err); |
| 613 end | 608 end |
| 614 local q = request.url.query and http.formdecode(request.url.query); | 609 local q = request.url.query and http.formdecode(request.url.query); |
| 615 local redirect_query = url.parse(redirect_uri); | 610 local redirect_query = url.parse(redirect_uri); |
| 616 local sep = redirect_query.query and "&" or "?"; | 611 local sep = redirect_query.query and "&" or "?"; |
