# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1677797849 -3600
# Node ID 6a3c1febd7beb35f952fbb30296335a2f7547168
# Parent  fa3059e653facf9b868ba8c49f446e88dad27cbf
mod_http_oauth2: Add settings for allowed grant and response types

So that you can opt-in to the insecure methods...

diff -r fa3059e653fa -r 6a3c1febd7be mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Mar 02 22:06:50 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu Mar 02 23:57:29 2023 +0100
@@ -253,6 +253,21 @@
 	check_credentials = function () return false end
 end
 
+local allowed_grant_type_handlers = module:get_option_set("allowed_oauth2_grant_types", {"authorization_code", "password"})
+for handler_type in pairs(grant_type_handlers) do
+	if not allowed_grant_type_handlers:contains(handler_type) then
+		grant_type_handlers[handler_type] = nil;
+	end
+end
+
+-- "token" aka implicit flow is considered insecure
+local allowed_response_type_handlers = module:get_option_set("allowed_oauth2_response_types", {"code"})
+for handler_type in pairs(allowed_response_type_handlers) do
+	if not allowed_grant_type_handlers:contains(handler_type) then
+		grant_type_handlers[handler_type] = nil;
+	end
+end
+
 function handle_token_grant(event)
 	event.response.headers.content_type = "application/json";
 	local params = http.formdecode(event.request.body);