mod_http_oauth2: Allow revoking a token without OAuth client credentials
If you have a valid token, and you're not supposed to have it, revoking
it seems the most responsible thing to do with it, so it should be
allowed, while if you are supposed to have it, you should also be
allowed to revoke it.
--- a/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 21 21:57:18 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua Tue Mar 21 22:02:38 2023 +0100
@@ -570,20 +570,20 @@
local function handle_revocation_request(event)
local request, response = event.request, event.response;
- if not request.headers.authorization then
- response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
- return 401;
- elseif request.headers.content_type ~= "application/x-www-form-urlencoded"
+ if request.headers.content_type ~= "application/x-www-form-urlencoded"
or not request.body or request.body == "" then
return 400;
end
- local credentials = get_request_credentials(request);
- if not credentials or credentials.type ~= "basic" then
- return 400;
- end
- -- OAuth "client" credentials
- if not verify_client_secret(credentials.username, credentials.password) then
- return 401;
+ if request.headers.authorization then
+ local credentials = get_request_credentials(request);
+ if not credentials or credentials.type ~= "basic" then
+ response.headers.www_authenticate = string.format("Basic realm=%q", module.host.."/"..module.name);
+ return 401;
+ end
+ -- OAuth "client" credentials
+ if not verify_client_secret(credentials.username, credentials.password) then
+ return 401;
+ end
end
local form_data = http.formdecode(event.request.body);