Software /
code /
prosody-modules
Diff
mod_http_oauth2/mod_http_oauth2.lua @ 5429:0bbeee8ba8b5
mod_http_oauth2: Strip unknown scopes from consent page
Since the scope string can be any arbitrary space-separated strings.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 07 May 2023 20:25:18 +0200 |
parent | 5428:07e166b34c4c |
child | 5445:74fdf4a7cca1 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Sun May 07 20:24:18 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sun May 07 20:25:18 2023 +0200 @@ -651,7 +651,8 @@ return render_page(templates.login, { state = auth_state, client = client }); elseif auth_state.consent == nil then -- Render consent page - return render_page(templates.consent, { state = auth_state; client = client; scopes = parse_scopes(params.scope or "") }, true); + local scopes, roles = split_scopes(parse_scopes(params.scope or "")); + return render_page(templates.consent, { state = auth_state; client = client; scopes = scopes+roles }, true); elseif not auth_state.consent then -- Notify client of rejection return error_response(request, oauth_error("access_denied"));