--- a/mod_http_oauth2/mod_http_oauth2.lua Thu Mar 16 17:06:35 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua Thu Mar 16 17:52:10 2023 +0100
@@ -78,11 +78,7 @@
return array(scope_string:gmatch("%S+"));
end
-local function filter_scopes(username, host, requested_scope_string)
- if host ~= module.host then
- return usermanager.get_jid_role(username.."@"..host, module.host).name;
- end
-
+local function filter_scopes(username, requested_scope_string)
local selected_role, granted_scopes = nil, array();
if requested_scope_string then -- Specific role(s) requested
@@ -207,13 +203,16 @@
end
local granted_jid = jid.join(request_username, request_host, request_resource);
- local granted_scopes, granted_role = filter_scopes(request_username, request_host, params.scope);
+ local granted_scopes, granted_role = filter_scopes(request_username, params.scope);
return json.encode(new_access_token(granted_jid, granted_role, granted_scopes, nil));
end
function response_type_handlers.code(client, params, granted_jid)
local request_username, request_host = jid.split(granted_jid);
- local granted_scopes, granted_role = filter_scopes(request_username, request_host, params.scope);
+ if not request_host or request_host ~= module.host then
+ return oauth_error("invalid_request", "invalid JID");
+ end
+ local granted_scopes, granted_role = filter_scopes(request_username, params.scope);
local code = id.medium();
local ok = codes:set(params.client_id .. "#" .. code, {
@@ -265,7 +264,10 @@
-- Implicit flow
function response_type_handlers.token(client, params, granted_jid)
local request_username, request_host = jid.split(granted_jid);
- local granted_scopes, granted_role = filter_scopes(request_username, request_host, params.scope);
+ if not request_host or request_host ~= module.host then
+ return oauth_error("invalid_request", "invalid JID");
+ end
+ local granted_scopes, granted_role = filter_scopes(request_username, params.scope);
local token_info = new_access_token(granted_jid, granted_role, granted_scopes, nil, client);
local redirect = url.parse(get_redirect_uri(client, params.redirect_uri));