Software /
code /
prosody-modules
Diff
mod_http_oauth2/mod_http_oauth2.lua @ 5210:898575a0c6f3
mod_http_oauth2: Switch to '303 See Other' redirects
This is the recommendation by draft-ietf-oauth-v2-1-07 section 7.5.2. It is
the only redirect code that guarantees the user agent will use a GET request,
rather than re-submitting a POST request to the new URL.
The latter would be bad for us, as we are encoding auth tokens in the form
data.
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Mon, 06 Mar 2023 10:37:43 +0000 |
parent | 5209:942f8a2f722d |
child | 5213:dc0f502c12f1 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Mon Mar 06 10:29:14 2023 +0000 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Mar 06 10:37:43 2023 +0000 @@ -211,7 +211,7 @@ redirect.query = http.formencode(query); return { - status_code = 302; + status_code = 303; headers = { location = url.build(redirect); }; @@ -229,7 +229,7 @@ redirect.fragment = http.formencode(token_info); return { - status_code = 302; + status_code = 303; headers = { location = url.build(redirect); }; @@ -396,7 +396,7 @@ .. "&" .. http.formencode({ state = q.state, iss = get_issuer() }); module:log("warn", "Sending error response to client via redirect to %s", redirect_uri); return { - status_code = 302; + status_code = 303; headers = { location = redirect_uri; };