# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1677790842 -3600
# Node ID 09d6bbd6c8a40a15bafa3d1e9658ba42e198d688
# Parent  313937349fbc8f8bf31824bde4262ebe236aba13
mod_http_oauth2: Fix treatment of 'redirect_uri' parameter in code flow

It's optional and the one stored in the client registration should
really be used instead. RFC 6749 says an URI provided as parameter MUST
be validated against the stored one but does not say how.
Given that the client needs their secret to proceed, it seems fine to
leave this for later.

diff -r 313937349fbc -r 09d6bbd6c8a4 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Mar 02 11:38:57 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu Mar 02 22:00:42 2023 +0100
@@ -94,7 +94,6 @@
 
 function response_type_handlers.code(params, granted_jid)
 	if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end
-	if not params.redirect_uri then return oauth_error("invalid_request", "missing 'redirect_uri'"); end
 
 	local client_owner, client_host, client_id = jid.prepped_split(params.client_id);
 	if client_host ~= module.host then
@@ -118,7 +117,7 @@
 		return {status_code = 429};
 	end
 
-	local redirect = url.parse(params.redirect_uri);
+	local redirect = url.parse(params.redirect_uri or client.redirect_uri);
 	local query = http.formdecode(redirect.query or "");
 	if type(query) ~= "table" then query = {}; end
 	table.insert(query, { name = "code", value = code })