Mercurial Mercurial > prosody > prosody-modules / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Relax payload content type checking in revocation
authorKim Alvefur <zash@zash.se>
Tue, 21 Mar 2023 22:29:47 +0100
changeset 5271 60e0bc35de33
parent 5270 5943605201ca
child 5272 bac39c6e7203
mod_http_oauth2: Relax payload content type checking in revocation The code expected Content-Type: application/x-www-form-urlencoded HTTPie sent Content-Type: application/x-www-form-urlencoded; charset=utf-8 It did not work
mod_http_oauth2/mod_http_oauth2.lua file | annotate | diff | comparison | revisions 
--- a/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 21 22:23:28 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Tue Mar 21 22:29:47 2023 +0100
@@ -548,10 +548,6 @@
 
 local function handle_revocation_request(event)
 	local request, response = event.request, event.response;
-		if request.headers.content_type ~= "application/x-www-form-urlencoded"
-	or not request.body or request.body == "" then
-		return 400;
-	end
 	if request.headers.authorization then
 		local credentials = get_request_credentials(request);
 		if not credentials or credentials.type ~= "basic" then
@@ -564,9 +560,10 @@
 		end
 	end
 
-	local form_data = http.formdecode(event.request.body);
+	local form_data = http.formdecode(event.request.body or "");
 	if not form_data or not form_data.token then
-		return 400;
+		response.headers.accept = "application/x-www-form-urlencoded";
+		return 415;
 	end
 	local ok, err = tokens.revoke_token(form_data.token);
 	if not ok then
prosody-modules