# HG changeset patch # User Kim Alvefur # Date 1682164976 -7200 # Node ID eda3b078ba2cac040282398bb3999ac663c72153 # Parent 959dc350f2ade486772d76d84394b45d1bf49527 mod_http_oauth2: Validate (unused at this point) localized URIs Client registration may include keys of the form "some_uri#lang-code" pointing to alternate language versions of the various URIs. We don't use this yet but the same validation should apply. diff -r 959dc350f2ad -r eda3b078ba2c mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sat Apr 22 14:06:41 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Apr 22 14:02:56 2023 +0200 @@ -670,6 +670,7 @@ software_version = { type = "string" }; }; -- Localized versions of descriptive properties and URIs + patternProperties = { ["^[a-z_]+_uri#"] = { type = "string"; format = "uri"; pattern = "^https:" } }; additionalProperties = { type = "string" }; } @@ -706,6 +707,18 @@ end end + -- Localized URIs should be secure too + for k, v in pairs(client_metadata) do + if k:find"_uri#" then + local uri = url.parse(v); + if not uri or uri.scheme ~= "https" then + return nil, oauth_error("invalid_request", "Missing, invalid or insecure "..k); + elseif uri.host ~= client_uri.host then + return nil, oauth_error("invalid_request", "All URIs must use the same hostname as client_uri"); + end + end + end + -- Ensure each signed client_id JWT is unique, short ID and issued at -- timestamp should be sufficient to rule out brute force attacks client_metadata.nonce = id.short();