# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1751538763 -7200
# Node ID dfc035ecabb48f8e9b86bc9e44bba442b59e09b6
# Parent  e174e12549e1db5ae0e1954899ed55f30e5a2988
mod_http_oauth2: Remove defaults that should be included on clients

Since create_client() adds these fields if they are missing, we can
assume that they are present.

diff -r e174e12549e1 -r dfc035ecabb4 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Jul 03 12:27:32 2025 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu Jul 03 12:32:43 2025 +0200
@@ -913,7 +913,7 @@
 
 
 	local grant_type = params.grant_type
-	if not array_contains(client.grant_types or { "authorization_code" }, grant_type) then
+	if not array_contains(client.grant_types, grant_type) then
 		return oauth_error("invalid_request", "'grant_type' not registered");
 	end
 
@@ -954,7 +954,7 @@
 	-- From this point we know that redirect_uri is safe to use
 
 	local response_type = params.response_type;
-	if not array_contains(client.response_types or { "code" }, response_type) then
+	if not array_contains(client.response_types, response_type) then
 		return error_response(request, redirect_uri, oauth_error("invalid_client", "'response_type' not registered"));
 	end
 	if not allowed_response_type_handlers:contains(response_type) then