Changeset

5644:a44af1b646f5

mod_http_oauth2: Optionally enforce authentication on revocation endpoint But why do OAuth require this? If a token leaks, why couldn't anyone revoke it?
author Kim Alvefur <zash@zash.se>
date Mon, 31 Jul 2023 02:07:58 +0200
parents 5643:e86a1018cdb3
children 5645:3a5cf8d80089
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 7 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Jul 31 02:07:24 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Jul 31 02:07:58 2023 +0200
@@ -1041,6 +1041,8 @@
 	}
 end
 
+local strict_auth_revoke = module:get_option_boolean("oauth2_require_auth_revoke", false);
+
 local function handle_revocation_request(event)
 	local request, response = event.request, event.response;
 	response.headers.cache_control = "no-store";
@@ -1055,6 +1057,11 @@
 		if not verify_client_secret(credentials.username, credentials.password) then
 			return 401;
 		end
+		-- TODO check that it's their token I guess?
+	elseif strict_auth_revoke then
+		-- Why require auth to revoke a leaked token?
+		response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
+		return 401;
 	end
 
 	local form_data = strict_formdecode(event.request.body);