prosody-modules
c1b94dd6e53b

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Changeset

6238:c1b94dd6e53b

mod_http_oauth2: Change password grant to take username instead of JID [BC] For consistency since the other grant types do not accept JIDs This has been like this from the beginning of this module. Changing this breaks backwards-compatibility with anything that relied on the JID as username, but things shouldn't really be using the password grant anyway as it is insecure.
author Kim Alvefur <zash@zash.se>
date Sat, 19 Apr 2025 16:25:24 +0200
parents 6237:4f0ed0e3ad5a
children 6239:a931a95e363e
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 3 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Apr 19 16:42:21 2025 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Apr 19 16:25:24 2025 +0200
@@ -419,18 +419,14 @@
 		return oauth_error("invalid_client", "incorrect credentials");
 	end
 
-	local request_jid = assert(params.username, oauth_error("invalid_request", "missing 'username' (JID)"));
+	local request_username = assert(params.username, oauth_error("invalid_request", "missing 'username'"));
 	local request_password = assert(params.password, oauth_error("invalid_request", "missing 'password'"));
-	local request_username, request_host, request_resource = jid.prepped_split(request_jid);
 
-	if not (request_username and request_host) or request_host ~= module.host then
-		return oauth_error("invalid_request", "invalid JID");
-	end
-	if not usermanager.test_password(request_username, request_host, request_password) then
+	if not usermanager.test_password(request_username, module.host, request_password) then
 		return oauth_error("invalid_grant", "incorrect credentials");
 	end
 
-	local granted_jid = jid.join(request_username, request_host, request_resource);
+	local granted_jid = jid.join(request_username, module.host);
 	local granted_scopes, granted_role = filter_scopes(request_username, params.scope);
 	return json.encode(new_access_token(granted_jid, granted_role, granted_scopes, nil));
 end