Software /
code /
prosody-modules
Diff
mod_http_oauth2/mod_http_oauth2.lua @ 5265:f845c218e52c
mod_http_oauth2: Allow revoking a token without OAuth client credentials
If you have a valid token, and you're not supposed to have it, revoking
it seems the most responsible thing to do with it, so it should be
allowed, while if you are supposed to have it, you should also be
allowed to revoke it.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 21 Mar 2023 22:02:38 +0100 |
parent | 5264:d3ebaef1ea7a |
child | 5266:5943605201ca |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 21 21:57:18 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 21 22:02:38 2023 +0100 @@ -570,20 +570,20 @@ local function handle_revocation_request(event) local request, response = event.request, event.response; - if not request.headers.authorization then - response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); - return 401; - elseif request.headers.content_type ~= "application/x-www-form-urlencoded" + if request.headers.content_type ~= "application/x-www-form-urlencoded" or not request.body or request.body == "" then return 400; end - local credentials = get_request_credentials(request); - if not credentials or credentials.type ~= "basic" then - return 400; - end - -- OAuth "client" credentials - if not verify_client_secret(credentials.username, credentials.password) then - return 401; + if request.headers.authorization then + local credentials = get_request_credentials(request); + if not credentials or credentials.type ~= "basic" then + response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); + return 401; + end + -- OAuth "client" credentials + if not verify_client_secret(credentials.username, credentials.password) then + return 401; + end end local form_data = http.formdecode(event.request.body);