# HG changeset patch # User Kim Alvefur # Date 1748964052 -7200 # Node ID b7eb7d25693962de779c9bb5e9fc02d4146d7db4 # Parent 5b269511ade79acdee0f1954027a25b4306df3d3 mod_http_oauth2: Return instead of throwing errors error() or assert() does not get handled correctly diff -r 5b269511ade7 -r b7eb7d256939 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Tue Jun 03 17:04:19 2025 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Jun 03 17:20:52 2025 +0200 @@ -410,7 +410,10 @@ local request_username if expect_username_jid then - local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)")); + local request_jid = params.username; + if not request_jid then + return oauth_error("invalid_request", "missing 'username' (JID)"); + end local _request_username, request_host = jid.prepped_split(request_jid); if not (_request_username and request_host) or request_host ~= module.host then @@ -419,10 +422,16 @@ request_username = _request_username else - request_username = assert(params.username, oauth_error("invalid_request", "missing 'username'")); + request_username = params.username; + if not request_username then + return oauth_error("invalid_request", "missing 'username'"); + end end - local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'")); + local request_password = params.password; + if not request_password then + return oauth_error("invalid_request", "missing 'password'"); + end if not usermanager.test_password(request_username, module.host, request_password) then return oauth_error("invalid_grant", "incorrect credentials"); @@ -723,8 +732,14 @@ local component_secret = assert(module:get_option_string("component_secret"), "'component_secret' is a required setting when loaded on a Component"); function grant_type_handlers.password(params) - local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)")); - local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'")); + local request_jid = params.username; + if not request_jid then + return oauth_error("invalid_request", "missing 'username' (JID)"); + end + local request_password = params.password + if not request_password then + return oauth_error("invalid_request", "missing 'password'"); + end local request_username, request_host, request_resource = jid.prepped_split(request_jid); if params.scope then -- TODO shouldn't we support scopes / roles here?