Diff

mod_http_oauth2/mod_http_oauth2.lua @ 5478:af105c7a24b2

mod_http_oauth2: Always render errors as HTML for OOB redirect URI No invalid or insecure redirect URIs should make it to this point, so the warning can be removed.
author Kim Alvefur <zash@zash.se>
date Thu, 18 May 2023 14:25:11 +0200
parent 5477:5986e0edd7a3
child 5479:30e2722c9fa3
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu May 18 14:17:58 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu May 18 14:25:11 2023 +0200
@@ -180,10 +180,6 @@
 local oob_uri = "urn:ietf:wg:oauth:2.0:oob";
 
 local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" });
-local function is_secure_redirect(uri)
-	local u = url.parse(uri);
-	return u.scheme ~= "http" or loopbacks:contains(u.host);
-end
 
 local function oauth_error(err_name, err_desc)
 	return errors.new({
@@ -607,8 +603,7 @@
 -- the redirect_uri is missing or invalid. In those cases, we render an
 -- error directly to the user-agent.
 local function error_response(request, redirect_uri, err)
-	if not redirect_uri or not is_secure_redirect(redirect_uri) then
-		module:log("warn", "Missing or invalid redirect_uri %q, rendering error to user-agent", redirect_uri);
+	if not redirect_uri or redirect_uri == oob_uri then
 		return render_error(err);
 	end
 	local q = request.url.query and http.formdecode(request.url.query);