Software `/` code `/` prosody-modules

Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5446:dd7bddc87f98

mod_http_oauth2: Fix inclusion of role in refreshed access tokens `refresh_token_info` does not carry the role, and due to behavior prior to prosody trunk rev a1ba503610ed it would have reverted to the users' default role. After that it instead issues a token without role which is thus not usable with e.g. mod_rest

author	Kim Alvefur <zash@zash.se>
date	Thu, 11 May 2023 21:37:35 +0200
parent	5445:74fdf4a7cca1
child	5447:aa4828f040c5

comparison

equal deleted inserted replaced

-:74fdf4a7cca1
+:dd7bddc87f98
 	local refresh_token_info = tokens.get_token_info(params.refresh_token);
 	if not refresh_token_info or refresh_token_info.purpose ~= "oauth2-refresh" then
 		return oauth_error("invalid_grant", "invalid refresh token");
 	end
+	local refresh_scopes = refresh_token_info.grant.data.oauth2_scopes;
+	local new_scopes, role = filter_scopes(username, refresh_scopes);
 	-- new_access_token() requires the actual token
 	refresh_token_info.token = params.refresh_token;
 	return json.encode(new_access_token(
-		refresh_token_info.jid, refresh_token_info.role, refresh_token_info.grant.data.oauth2_scopes, client, nil, refresh_token_info
+		refresh_token_info.jid, role, new_scopes, client, nil, refresh_token_info
 	));
 end
 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients

prosody-modules

dd7bddc87f98

mod_http_oauth2/mod_http_oauth2.lua

Software / code / prosody-modules

Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5446:dd7bddc87f98

Software `/` code `/` prosody-modules