Changeset

5357:eda3b078ba2c

mod_http_oauth2: Validate (unused at this point) localized URIs Client registration may include keys of the form "some_uri#lang-code" pointing to alternate language versions of the various URIs. We don't use this yet but the same validation should apply.
author Kim Alvefur <zash@zash.se>
date Sat, 22 Apr 2023 14:02:56 +0200
parents 5356:959dc350f2ad
children 5358:0905d348bd34
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 13 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Apr 22 14:06:41 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Apr 22 14:02:56 2023 +0200
@@ -670,6 +670,7 @@
 		software_version = { type = "string" };
 	};
 	-- Localized versions of descriptive properties and URIs
+	patternProperties = { ["^[a-z_]+_uri#"] = { type = "string"; format = "uri"; pattern = "^https:"  } };
 	additionalProperties = { type = "string" };
 }
 
@@ -706,6 +707,18 @@
 		end
 	end
 
+	-- Localized URIs should be secure too
+	for k, v in pairs(client_metadata) do
+		if k:find"_uri#" then
+			local uri = url.parse(v);
+			if not uri or uri.scheme ~= "https" then
+				return nil, oauth_error("invalid_request", "Missing, invalid or insecure "..k);
+			elseif uri.host ~= client_uri.host then
+				return nil, oauth_error("invalid_request", "All URIs must use the same hostname as client_uri");
+			end
+		end
+	end
+
 	-- Ensure each signed client_id JWT is unique, short ID and issued at
 	-- timestamp should be sufficient to rule out brute force attacks
 	client_metadata.nonce = id.short();