mod_welcome_page: Remove dependency on mod_invites (included with Prosody) Thanks gooya

mod_http_oauth2: Allow CORS for browser clients Needed for web clients to reach i.e. the token endpoint.

mod_http_oauth2: Disable Referrer via header Prevents the various parameters from potentially ending up in logs, as well as reduces the size of requests.

mod_http_oauth2: Always render errors as HTML for OOB redirect URI No invalid or insecure redirect URIs should make it to this point, so the warning can be removed.

mod_http_oauth2: Use validated redirect URI when returning errors to client Parsing it from the query again without the validation done by get_redirect_uri() may lead to open redirect issues.

mod_http_oauth2: Return OAuth error for authz code store error

mod_http_oauth2: Validate redirect_uri before using it for error redirects To be extra sure that it is safe to use in redirects from this point on.

mod_http_oauth2: Don't return redirects or HTML from token endpoint These are used by the client, not the user, so makes more sense to return JSON directly instead of a redirect or HTML error page when .

mod_http_oauth2: Tweak formatting of log message No need to `or ""` anymore since Prosody rev e88db5668cfb (0.11.0) and the %q format should produce either (nil) or "http://example"

mod_http_oauth2: Always show early errors to user Before having validated the client_id, communicating an error back to the client via redirect would make this an open redirect, so we may just as well skip past that logic, and especially the warning log message.