Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 17:56:10 +0200] rev 5485
mod_welcome_page: Remove dependency on mod_invites (included with Prosody)
Thanks gooya
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:51:48 +0200] rev 5484
mod_http_oauth2: Allow CORS for browser clients
Needed for web clients to reach i.e. the token endpoint.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:47:54 +0200] rev 5483
mod_http_oauth2: Disable Referrer via header
Prevents the various parameters from potentially ending up in logs, as
well as reduces the size of requests.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:25:11 +0200] rev 5482
mod_http_oauth2: Always render errors as HTML for OOB redirect URI
No invalid or insecure redirect URIs should make it to this point, so
the warning can be removed.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:17:58 +0200] rev 5481
mod_http_oauth2: Use validated redirect URI when returning errors to client
Parsing it from the query again without the validation done by
get_redirect_uri() may lead to open redirect issues.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:07:37 +0200] rev 5480
mod_http_oauth2: Return OAuth error for authz code store error
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 14:02:09 +0200] rev 5479
mod_http_oauth2: Validate redirect_uri before using it for error redirects
To be extra sure that it is safe to use in redirects from this point on.
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:41:23 +0200] rev 5478
mod_http_oauth2: Don't return redirects or HTML from token endpoint
These are used by the client, not the user, so makes more sense to
return JSON directly instead of a redirect or HTML error page when .
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:27:27 +0200] rev 5477
mod_http_oauth2: Tweak formatting of log message
No need to `or ""` anymore since Prosody rev e88db5668cfb (0.11.0) and
the %q format should produce either (nil) or "http://example"
Kim Alvefur <zash@zash.se> [Thu, 18 May 2023 13:43:17 +0200] rev 5476
mod_http_oauth2: Always show early errors to user
Before having validated the client_id, communicating an error back to
the client via redirect would make this an open redirect, so we may just
as well skip past that logic, and especially the warning log message.