Software / code / prosody-modules
Changeset
6269:2505542c6c50
mod_http_oauth2: Deduplicate client authentication
Since it is always performed by each grant_type_handler, it can now be
done earlier before dispatching to them.
A note on 4f0ed0e3ad5a: Requiring a client in the password grant broke
use without registering a client, e.g. the Snikket Web Portal.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 31 May 2025 13:36:39 +0200 |
| parents | 6268:a4d7fefa4a8b |
| children | 6270:9014c95c4549 |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 17 insertions(+), 28 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Wed May 28 16:53:22 2025 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat May 31 13:36:39 2025 +0200 @@ -406,20 +406,7 @@ return hashes.equals(make_client_secret(client_id), client_secret); end -function grant_type_handlers.password(params) - if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end - if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end - - local client = check_client(params.client_id); - if not client then - return oauth_error("invalid_client", "incorrect credentials"); - end - - if not verify_client_secret(params.client_id, params.client_secret) then - module:log("debug", "client_secret mismatch"); - return oauth_error("invalid_client", "incorrect credentials"); - end - +function grant_type_handlers.password(params, client) local request_username if expect_username_jid then @@ -537,24 +524,12 @@ } end -function grant_type_handlers.authorization_code(params) - if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end - if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end +function grant_type_handlers.authorization_code(params, client) if not params.code then return oauth_error("invalid_request", "missing 'code'"); end if params.scope and params.scope ~= "" then -- FIXME allow a subset of granted scopes return oauth_error("invalid_scope", "unknown scope requested"); end - - local client = check_client(params.client_id); - if not client then - return oauth_error("invalid_client", "incorrect credentials"); - end - - if not verify_client_secret(params.client_id, params.client_secret) then - module:log("debug", "client_secret mismatch"); - return oauth_error("invalid_client", "incorrect credentials"); - end local code, err = codes:get("authorization_code:" .. params.client_id .. "#" .. params.code); if err then error(err); end -- MUST NOT use the authorization code more than once, so remove it to @@ -884,12 +859,26 @@ params.client_secret = http.urldecode(credentials.password); end + if not params.client_id then return oauth_error("invalid_request", "missing 'client_id'"); end + if not params.client_secret then return oauth_error("invalid_request", "missing 'client_secret'"); end + + local client = check_client(params.client_id); + if not client then + return oauth_error("invalid_client", "incorrect credentials"); + end + + if not verify_client_secret(params.client_id, params.client_secret) then + module:log("debug", "client_secret mismatch"); + return oauth_error("invalid_client", "incorrect credentials"); + end + + local grant_type = params.grant_type local grant_handler = grant_type_handlers[grant_type]; if not grant_handler then return oauth_error("invalid_request", "No such grant type."); end - return grant_handler(params); + return grant_handler(params, client); end local function handle_authorization_request(event)
