--- a/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 21 21:57:18 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 21 22:02:38 2023 +0100
@@ -570,20 +570,20 @@
local function handle_revocation_request(event)
local request, response = event.request, event.response;
- if not request.headers.authorization then
- response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
- return 401;
- elseif request.headers.content_type ~= "application/x-www-form-urlencoded"
+ if request.headers.content_type ~= "application/x-www-form-urlencoded"
or not request.body or request.body == "" then
return 400;
end
- local credentials = get_request_credentials(request);
- if not credentials or credentials.type ~= "basic" then
- return 400;
- end
- -- OAuth "client" credentials
- if not verify_client_secret(credentials.username, credentials.password) then
- return 401;
+ if request.headers.authorization then
+ local credentials = get_request_credentials(request);
+ if not credentials or credentials.type ~= "basic" then
+ response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
+ return 401;
+ end
+ -- OAuth "client" credentials
+ if not verify_client_secret(credentials.username, credentials.password) then
+ return 401;
+ end
end
local form_data = http.formdecode(event.request.body);