# HG changeset patch # User Kim Alvefur # Date 1679432558 -3600 # Node ID f845c218e52ca98db4ab01da67ecdd24efa6c42e # Parent d3ebaef1ea7a531f9a30ebbf3fa815883a2ead37 mod_http_oauth2: Allow revoking a token without OAuth client credentials If you have a valid token, and you're not supposed to have it, revoking it seems the most responsible thing to do with it, so it should be allowed, while if you are supposed to have it, you should also be allowed to revoke it. diff -r d3ebaef1ea7a -r f845c218e52c mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 21 21:57:18 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 21 22:02:38 2023 +0100 @@ -570,20 +570,20 @@ local function handle_revocation_request(event) local request, response = event.request, event.response; - if not request.headers.authorization then - response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); - return 401; - elseif request.headers.content_type ~= "application/x-www-form-urlencoded" + if request.headers.content_type ~= "application/x-www-form-urlencoded" or not request.body or request.body == "" then return 400; end - local credentials = get_request_credentials(request); - if not credentials or credentials.type ~= "basic" then - return 400; - end - -- OAuth "client" credentials - if not verify_client_secret(credentials.username, credentials.password) then - return 401; + if request.headers.authorization then + local credentials = get_request_credentials(request); + if not credentials or credentials.type ~= "basic" then + response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name); + return 401; + end + -- OAuth "client" credentials + if not verify_client_secret(credentials.username, credentials.password) then + return 401; + end end local form_data = http.formdecode(event.request.body);