Software /
code /
prosody-modules
Diff
mod_http_oauth2/mod_http_oauth2.lua @ 5704:8cb3da7df521
mod_http_oauth2: Restrict introspection to clients own tokens
The introspection code was added before the client hash was added in
0860497152af which allows connecting tokens to clients.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 29 Oct 2023 11:20:15 +0100 |
parent | 5703:b43c989fb69c |
child | 5705:527c747711f3 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Thu May 25 09:31:21 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Oct 29 11:20:15 2023 +0100 @@ -1061,6 +1061,11 @@ return 401; end + local client = check_client(credentials.username); + if not client then + return 401; + end + local form_data = http.formdecode(request.body or "="); local token = form_data.token; if not token then @@ -1071,6 +1076,10 @@ if not token_info then return { headers = { content_type = "application/json" }; body = json.encode { active = false } }; end + local token_client = token_info.grant.data.oauth2_client; + if not token_client or token_client.hash ~= client.client_hash then + return 403; + end return { headers = { content_type = "application/json" }; @@ -1083,7 +1092,7 @@ exp = token.expires; iat = token.created; sub = url.build({ scheme = "xmpp"; path = token_info.jid }); - aud = nil; + aud = credentials.username; iss = get_issuer(); jti = token_info.id; };