Mercurial Mercurial > prosody > prosody-modules / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2/mod_http_oauth2.lua
changeset 5476 b80b6947b079
parent 5475 d4d333cb75b2
child 5477 e4382f6e3564 
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu May 18 13:24:18 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu May 18 13:43:17 2023 +0200
@@ -597,6 +597,10 @@
 	grant_type_handlers.authorization_code = nil;
 end
 
+local function render_error(err)
+	return render_page(templates.error, { error = err });
+end
+
 -- OAuth errors should be returned to the client if possible, i.e. by
 -- appending the error information to the redirect_uri and sending the
 -- redirect to the user-agent. In some cases we can't do this, e.g. if
@@ -607,7 +611,7 @@
 	local redirect_uri = q and q.redirect_uri;
 	if not redirect_uri or not is_secure_redirect(redirect_uri) then
 		module:log("warn", "Missing or invalid redirect_uri <%s>, rendering error to user-agent", redirect_uri or "");
-		return render_page(templates.error, { error = err });
+		return render_error(err);
 	end
 	local redirect_query = url.parse(redirect_uri);
 	local sep = redirect_query.query and "&" or "?";
@@ -680,28 +684,29 @@
 local function handle_authorization_request(event)
 	local request = event.request;
 
+	-- Directly returning errors to the user before we have a validated client object
 	if not request.url.query then
-		return error_response(request, oauth_error("invalid_request", "Missing query parameters"));
+		return render_error(oauth_error("invalid_request", "Missing query parameters"));
 	end
 	local params = http.formdecode(request.url.query);
 	if not params then
-		return error_response(request, oauth_error("invalid_request", "Invalid query parameters"));
+		return render_error(oauth_error("invalid_request", "Invalid query parameters"));
 	end
 
 	if not params.client_id then
-		return oauth_error("invalid_request", "Missing 'client_id' parameter");
+		return render_error(oauth_error("invalid_request", "Missing 'client_id' parameter"));
 	end
 
 	local ok, client = verify_client(params.client_id);
 
 	if not ok then
-		return oauth_error("invalid_request", "Invalid 'client_id' parameter");
+		return render_error(oauth_error("invalid_request", "Invalid 'client_id' parameter"));
 	end
 
 	local client_response_types = set.new(array(client.response_types or { "code" }));
 	client_response_types = set.intersection(client_response_types, allowed_response_type_handlers);
 	if not client_response_types:contains(params.response_type) then
-		return oauth_error("invalid_client", "'response_type' not allowed");
+		return error_response(request, oauth_error("invalid_client", "'response_type' not allowed"));
 	end
 
 	local requested_scopes = parse_scopes(params.scope or "");
prosody-modules