mod_http_oauth2: Make note about handling repeated RFC 6749 states > If an authorization code is used more than once, the authorization > server MUST deny the request and SHOULD revoke (when possible) all > tokens previously issued based on that authorization code. We should follow the SHOULD. The MUST is already covered by removing the code state from the cache.

mod_http_oauth2: Add TODO about disabling password grant Per recommendation in draft-ietf-oauth-security-topics-23 it should at the very least be disabled by default. However since this is used by the Snikket web portal some care needs to be taken not to break this, unless it's already broken by other changes to this module.

mod_http_oauth2: Disable CORS for authorization endpoint Per recommendation in draft-ietf-oauth-security-topics-23 Hopefully it is enough to return an error status, since mod_http will add CORS headers from a handler with higher priority, even for OPTIONS.

mod_http_oauth2: Make CSP configurable E.g. to enable forbidding all scripts if you don't use any scripts, or allow scripts from your separate static content domain, etc.

mod_http_oauth2: Link to RFC 7628 in README Links are good.

mod_http_oauth2: Use code spans for some config options in README To make them more recognisable as code things.

mod_http_oauth2: Remove underscore prefix LuaCheck considers this to mean that a variable it unused, but this one is not.

mod_cloud_notify_extensions: Fix Markdown syntax of Compatibility table

mod_firewall: Add console commands to mark/unmark users

mod_firewall: Load marks from storage on demand rather than at login This ensures people who don't use marks, or use them infrequently, don't pay a perf cost on every resource bind.