# HG changeset patch # User Kim Alvefur # Date 1745072724 -7200 # Node ID c1b94dd6e53b16b159f87e75f11b6919c6792ff3 # Parent 4f0ed0e3ad5ad2501fb70e6d8f3ccb11639b8f3a mod_http_oauth2: Change password grant to take username instead of JID [BC] For consistency since the other grant types do not accept JIDs This has been like this from the beginning of this module. Changing this breaks backwards-compatibility with anything that relied on the JID as username, but things shouldn't really be using the password grant anyway as it is insecure. diff -r 4f0ed0e3ad5a -r c1b94dd6e53b mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sat Apr 19 16:42:21 2025 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Apr 19 16:25:24 2025 +0200 @@ -419,18 +419,14 @@ return oauth_error("invalid_client", "incorrect credentials"); end - local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)")); + local request_username = assert(params.username, oauth_error("invalid_request", "missing 'username'")); local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'")); - local request_username, request_host, request_resource = jid.prepped_split(request_jid); - if not (request_username and request_host) or request_host ~= module.host then - return oauth_error("invalid_request", "invalid JID"); - end - if not usermanager.test_password(request_username, request_host, request_password) then + if not usermanager.test_password(request_username, module.host, request_password) then return oauth_error("invalid_grant", "incorrect credentials"); end - local granted_jid = jid.join(request_username, request_host, request_resource); + local granted_jid = jid.join(request_username, module.host); local granted_scopes, granted_role = filter_scopes(request_username, params.scope); return json.encode(new_access_token(granted_jid, granted_role, granted_scopes, nil)); end