Software /
code /
prosody-modules
Diff
mod_http_oauth2/mod_http_oauth2.lua @ 5478:af105c7a24b2
mod_http_oauth2: Always render errors as HTML for OOB redirect URI
No invalid or insecure redirect URIs should make it to this point, so
the warning can be removed.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 18 May 2023 14:25:11 +0200 |
parent | 5477:5986e0edd7a3 |
child | 5479:30e2722c9fa3 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Thu May 18 14:17:58 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Thu May 18 14:25:11 2023 +0200 @@ -180,10 +180,6 @@ local oob_uri = "urn:ietf:wg:oauth:2.0:oob"; local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" }); -local function is_secure_redirect(uri) - local u = url.parse(uri); - return u.scheme ~= "http" or loopbacks:contains(u.host); -end local function oauth_error(err_name, err_desc) return errors.new({ @@ -607,8 +603,7 @@ -- the redirect_uri is missing or invalid. In those cases, we render an -- error directly to the user-agent. local function error_response(request, redirect_uri, err) - if not redirect_uri or not is_secure_redirect(redirect_uri) then - module:log("warn", "Missing or invalid redirect_uri %q, rendering error to user-agent", redirect_uri); + if not redirect_uri or redirect_uri == oob_uri then return render_error(err); end local q = request.url.query and http.formdecode(request.url.query);