# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1748890520 -7200
# Node ID 9d88c3d9eea59bf4c72b6c3418f82bcc6e4bb0fd
# Parent  4b52d579bc706cd6f564d987715d5d5a9da94515
mod_http_oauth2: Enforce the registered grant types

Thus a client can limit itself to certain grant types.
Not sure if this prevents any attacks, but what was the point of
including this in the registration if it was not going to be enforced?

This became easier to do with client_id being available earlier.

diff -r 4b52d579bc70 -r 9d88c3d9eea5 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Jun 02 12:59:32 2025 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Jun 02 20:55:20 2025 +0200
@@ -878,6 +878,19 @@
 	if not grant_handler then
 		return oauth_error("invalid_request", "No such grant type.");
 	end
+
+	local grant_type_allowed = false;
+	for _, client_grant_type in ipairs(client.grant_types or { "authorization_code" }) do
+		if client_grant_type == grant_type then
+			grant_type_allowed = true;
+			break
+		end
+	end
+
+	if not grant_type_allowed then
+		return oauth_error("invalid_request", "'grant_type' not registered");
+	end
+
 	return grant_handler(params, client);
 end