Software /
code /
prosody-modules
Diff
mod_http_oauth2/mod_http_oauth2.lua @ 5405:c7a5caad28ef
mod_http_oauth2: Enforce response type encoded in client_id
The client promises to only use this response type, so we should hold
them to that.
This makes it fail earlier if the response type is disabled or the
client is trying to use one that it promised not to use. Better than
failing after login and consent.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 02 May 2023 16:31:25 +0200 |
parent | 5404:1087f697c3f3 |
child | 5406:b86d80e21c60 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:23:40 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:31:25 2023 +0200 @@ -620,6 +620,12 @@ return oauth_error("invalid_client", "incorrect credentials"); end + local client_response_types = set.new(array(client.response_types or { "code" })); + client_response_types = set.intersection(client_response_types, allowed_response_type_handlers); + if not client_response_types:contains(params.response_type) then + return oauth_error("invalid_client", "response_type not allowed"); + end + local auth_state = get_auth_state(request); if not auth_state.user then -- Render login page