--- a/mod_http_oauth2/mod_http_oauth2.lua Thu Jan 21 17:30:34 2021 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua Thu Jan 21 18:06:12 2021 +0000
@@ -157,7 +157,7 @@
return json.encode(new_access_token(code.granted_jid, code.granted_scopes, nil));
end
-local function check_credentials(request)
+local function check_credentials(request, allow_token)
local auth_type, auth_data = string.match(request.headers.authorization, "^(%S+)%s(.+)$");
if auth_type == "Basic" then
@@ -171,6 +171,12 @@
return false;
end
return username;
+ elseif auth_type == "Bearer" and allow_token then
+ local token_info = tokens.get_token_info(auth_data);
+ if not token_info or not token_info.session or token_info.session.host ~= module.host then
+ return false;
+ end
+ return token_info.session.username;
end
return nil;
end
@@ -244,11 +250,38 @@
return response_handler(params, jid.join(user, module.host));
end
+local function handle_revocation_request(event)
+ local request, response = event.request, event.response;
+ if not request.headers.authorization then
+ response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
+ return 401;
+ elseif request.headers.content_type ~= "application/x-www-form-urlencoded"
+ or not request.body or request.body == "" then
+ return 400;
+ end
+ local user = check_credentials(request, true);
+ if not user then
+ return 401;
+ end
+
+ local form_data = http.formdecode(event.request.body);
+ if not form_data or not form_data.token then
+ return 400;
+ end
+ local ok, err = tokens.revoke_token(form_data.token);
+ if not ok then
+ module:log("warn", "Unable to revoke token: %s", tostring(err));
+ return 500;
+ end
+ return 200;
+end
+
module:depends("http");
module:provides("http", {
route = {
["POST /token"] = handle_token_grant;
["GET /authorize"] = handle_authorization_request;
+ ["POST /revoke"] = handle_revocation_request;
};
});