Diff

mod_http_oauth2/mod_http_oauth2.lua @ 5265:f845c218e52c

mod_http_oauth2: Allow revoking a token without OAuth client credentials If you have a valid token, and you're not supposed to have it, revoking it seems the most responsible thing to do with it, so it should be allowed, while if you are supposed to have it, you should also be allowed to revoke it.
author Kim Alvefur <zash@zash.se>
date Tue, 21 Mar 2023 22:02:38 +0100
parent 5264:d3ebaef1ea7a
child 5266:5943605201ca
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 21 21:57:18 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 21 22:02:38 2023 +0100
@@ -570,20 +570,20 @@
 
 local function handle_revocation_request(event)
 	local request, response = event.request, event.response;
-	if not request.headers.authorization then
-		response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
-		return 401;
-	elseif request.headers.content_type ~= "application/x-www-form-urlencoded"
+		if request.headers.content_type ~= "application/x-www-form-urlencoded"
 	or not request.body or request.body == "" then
 		return 400;
 	end
-	local credentials = get_request_credentials(request);
-	if not credentials or credentials.type ~= "basic" then
-		return 400;
-	end
-	-- OAuth "client" credentials
-	if not verify_client_secret(credentials.username, credentials.password) then
-		return 401;
+	if request.headers.authorization then
+		local credentials = get_request_credentials(request);
+		if not credentials or credentials.type ~= "basic" then
+			response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
+			return 401;
+		end
+		-- OAuth "client" credentials
+		if not verify_client_secret(credentials.username, credentials.password) then
+			return 401;
+		end
 	end
 
 	local form_data = http.formdecode(event.request.body);