Software /
code /
prosody-modules
Diff
mod_http_oauth2/mod_http_oauth2.lua @ 5402:fbf3ede7541b
mod_http_oauth2: More appropriate error conditions in client validation
Specified in RFC7591 for these kinds of issues.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 02 May 2023 16:22:17 +0200 |
parent | 5401:c8d04ac200fc |
child | 5403:c574aaaa4d57 |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:20:55 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue May 02 16:22:17 2023 +0200 @@ -755,12 +755,12 @@ local client_uri = url.parse(client_metadata.client_uri); if not client_uri or client_uri.scheme ~= "https" or loopbacks:contains(client_uri.host) then - return nil, oauth_error("invalid_request", "Missing, invalid or insecure client_uri"); + return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure client_uri"); end for _, redirect_uri in ipairs(client_metadata.redirect_uris) do if not redirect_uri_allowed(redirect_uri, client_uri, client_metadata.application_type) then - return nil, oauth_error("invalid_request", "Invalid, insecure or inappropriate redirect URI."); + return nil, oauth_error("invalid_redirect_uri", "Invalid, insecure or inappropriate redirect URI."); end end @@ -768,10 +768,10 @@ if field ~= "client_uri" and prop_schema.format == "uri" and client_metadata[field] then local components = url.parse(client_metadata[field]); if components.scheme ~= "https" then - return nil, oauth_error("invalid_request", "Insecure URI forbidden"); + return nil, oauth_error("invalid_client_metadata", "Insecure URI forbidden"); end if components.authority ~= client_uri.authority then - return nil, oauth_error("invalid_request", "Informative URIs must have the same hostname"); + return nil, oauth_error("invalid_client_metadata", "Informative URIs must have the same hostname"); end end end @@ -781,9 +781,9 @@ if k:find"_uri#" then local uri = url.parse(v); if not uri or uri.scheme ~= "https" then - return nil, oauth_error("invalid_request", "Missing, invalid or insecure "..k); + return nil, oauth_error("invalid_client_metadata", "Missing, invalid or insecure "..k); elseif uri.host ~= client_uri.host then - return nil, oauth_error("invalid_request", "All URIs must use the same hostname as client_uri"); + return nil, oauth_error("invalid_client_metadata", "All URIs must use the same hostname as client_uri"); end end end