Diff

mod_http_oauth2/mod_http_oauth2.lua @ 5420:aa068449b0b6

mod_http_oauth2: Bail out of implicit flow on invalid or missing redirect Probably hasn't been tested, and maybe never will since it's disabled and more or less deprecated in OAuth 2.1
author Kim Alvefur <zash@zash.se>
date Sat, 06 May 2023 12:23:22 +0200
parent 5419:a0333176303c
child 5423:5b2352dda31f
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri May 05 21:32:34 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat May 06 12:23:22 2023 +0200
@@ -337,6 +337,7 @@
 	local token_info = new_access_token(granted_jid, granted_role, granted_scopes, client, nil);
 
 	local redirect = url.parse(get_redirect_uri(client, params.redirect_uri));
+	if not redirect then return 400; end
 	token_info.state = params.state;
 	redirect.fragment = http.formencode(token_info);