Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5265:f845c218e52c

mod_http_oauth2: Allow revoking a token without OAuth client credentials If you have a valid token, and you're not supposed to have it, revoking it seems the most responsible thing to do with it, so it should be allowed, while if you are supposed to have it, you should also be allowed to revoke it.
author Kim Alvefur <zash@zash.se>
date Tue, 21 Mar 2023 22:02:38 +0100
parent 5264:d3ebaef1ea7a
child 5266:5943605201ca
comparison
equal deleted inserted replaced
5264:d3ebaef1ea7a 5265:f845c218e52c
568 return response_handler(client, params, user_jid, id_token); 568 return response_handler(client, params, user_jid, id_token);
569 end 569 end
570 570
571 local function handle_revocation_request(event) 571 local function handle_revocation_request(event)
572 local request, response = event.request, event.response; 572 local request, response = event.request, event.response;
573 if not request.headers.authorization then 573 if request.headers.content_type ~= "application/x-www-form-urlencoded"
574 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
575 return 401;
576 elseif request.headers.content_type ~= "application/x-www-form-urlencoded"
577 or not request.body or request.body == "" then 574 or not request.body or request.body == "" then
578 return 400; 575 return 400;
579 end 576 end
580 local credentials = get_request_credentials(request); 577 if request.headers.authorization then
581 if not credentials or credentials.type ~= "basic" then 578 local credentials = get_request_credentials(request);
582 return 400; 579 if not credentials or credentials.type ~= "basic" then
583 end 580 response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
584 -- OAuth "client" credentials 581 return 401;
585 if not verify_client_secret(credentials.username, credentials.password) then 582 end
586 return 401; 583 -- OAuth "client" credentials
584 if not verify_client_secret(credentials.username, credentials.password) then
585 return 401;
586 end
587 end 587 end
588 588
589 local form_data = http.formdecode(event.request.body); 589 local form_data = http.formdecode(event.request.body);
590 if not form_data or not form_data.token then 590 if not form_data or not form_data.token then
591 return 400; 591 return 400;