Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5478:af105c7a24b2

mod_http_oauth2: Always render errors as HTML for OOB redirect URI No invalid or insecure redirect URIs should make it to this point, so the warning can be removed.
author Kim Alvefur <zash@zash.se>
date Thu, 18 May 2023 14:25:11 +0200
parent 5477:5986e0edd7a3
child 5479:30e2722c9fa3
comparison
equal deleted inserted replaced
5477:5986e0edd7a3 5478:af105c7a24b2
178 -- code to the user for them to copy-paste into the client, which can then 178 -- code to the user for them to copy-paste into the client, which can then
179 -- continue as if it received it via redirect. 179 -- continue as if it received it via redirect.
180 local oob_uri = "urn:ietf:wg:oauth:2.0:oob"; 180 local oob_uri = "urn:ietf:wg:oauth:2.0:oob";
181 181
182 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" }); 182 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" });
183 local function is_secure_redirect(uri)
184 local u = url.parse(uri);
185 return u.scheme ~= "http" or loopbacks:contains(u.host);
186 end
187 183
188 local function oauth_error(err_name, err_desc) 184 local function oauth_error(err_name, err_desc)
189 return errors.new({ 185 return errors.new({
190 type = "modify"; 186 type = "modify";
191 condition = "bad-request"; 187 condition = "bad-request";
605 -- appending the error information to the redirect_uri and sending the 601 -- appending the error information to the redirect_uri and sending the
606 -- redirect to the user-agent. In some cases we can't do this, e.g. if 602 -- redirect to the user-agent. In some cases we can't do this, e.g. if
607 -- the redirect_uri is missing or invalid. In those cases, we render an 603 -- the redirect_uri is missing or invalid. In those cases, we render an
608 -- error directly to the user-agent. 604 -- error directly to the user-agent.
609 local function error_response(request, redirect_uri, err) 605 local function error_response(request, redirect_uri, err)
610 if not redirect_uri or not is_secure_redirect(redirect_uri) then 606 if not redirect_uri or redirect_uri == oob_uri then
611 module:log("warn", "Missing or invalid redirect_uri %q, rendering error to user-agent", redirect_uri);
612 return render_error(err); 607 return render_error(err);
613 end 608 end
614 local q = request.url.query and http.formdecode(request.url.query); 609 local q = request.url.query and http.formdecode(request.url.query);
615 local redirect_query = url.parse(redirect_uri); 610 local redirect_query = url.parse(redirect_uri);
616 local sep = redirect_query.query and "&" or "?"; 611 local sep = redirect_query.query and "&" or "?";