Mercurial Mercurial > prosody > prosody-modules / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2/mod_http_oauth2.lua
changeset 5630 a44af1b646f5
parent 5623 81042c2a235a
child 5632 9aace51c3637 
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Jul 31 02:07:24 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Jul 31 02:07:58 2023 +0200
@@ -1041,6 +1041,8 @@
 	}
 end
 
+local strict_auth_revoke = module:get_option_boolean("oauth2_require_auth_revoke", false);
+
 local function handle_revocation_request(event)
 	local request, response = event.request, event.response;
 	response.headers.cache_control = "no-store";
@@ -1055,6 +1057,11 @@
 		if not verify_client_secret(credentials.username, credentials.password) then
 			return 401;
 		end
+		-- TODO check that it's their token I guess?
+	elseif strict_auth_revoke then
+		-- Why require auth to revoke a leaked token?
+		response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
+		return 401;
 	end
 
 	local form_data = strict_formdecode(event.request.body);
prosody-modules