Kim Alvefur <zash@zash.se> [Mon, 06 Mar 2023 16:53:27 +0100] rev 5218
mod_http_oauth2: Remove authorization codes after use
RFC 6749 section 4.1.2 says:
> The client MUST NOT use the authorization code more than once.
Thus we clear it from the cache after use.
Kim Alvefur <zash@zash.se> [Mon, 06 Mar 2023 16:49:43 +0100] rev 5217
mod_http_oauth2: Fix authorization code logic
I have no idea what it did before or if it even worked.
RFC 6749 section 4.1.2 says:
> A maximum authorization code lifetime of 10 minutes is RECOMMENDED.
So this should prevent use of codes older than 10 minutes and remove
them from the cache some time after they expire.
Kim Alvefur <zash@zash.se> [Mon, 06 Mar 2023 15:55:11 +0100] rev 5216
mod_http_oauth2: Include html templates in package for plugin installer
luarocks needs this extra metadata
Kim Alvefur <zash@zash.se> [Thu, 23 Feb 2023 00:30:59 +0100] rev 5215
mod_conversejs: This one weird trick updates options on reload
Options queried from the config in get_converse_options() would take
effect immediately after Prosody reloads the config. Including
'conversejs_options' in this behaviour by simply moving a line seems
worth it.
Matthew Wild <mwild1@gmail.com> [Mon, 06 Mar 2023 10:37:43 +0000] rev 5214
mod_http_oauth2: Switch to '303 See Other' redirects
This is the recommendation by draft-ietf-oauth-v2-1-07 section 7.5.2. It is
the only redirect code that guarantees the user agent will use a GET request,
rather than re-submitting a POST request to the new URL.
The latter would be bad for us, as we are encoding auth tokens in the form
data.
Matthew Wild <mwild1@gmail.com> [Mon, 06 Mar 2023 10:29:14 +0000] rev 5213
mod_http_oauth2: Allow non-HTTPS on localhost URLs
This is the recommended behaviour (draft-ietf-oauth-v2-1-07 section 7.5.1).
Matthew Wild <mwild1@gmail.com> [Mon, 06 Mar 2023 09:46:58 +0000] rev 5212
mod_http_oauth2: Add authentication, consent and error pages
Matthew Wild <mwild1@gmail.com> [Mon, 06 Mar 2023 09:40:17 +0000] rev 5211
mod_http_oauth: Factor out issuer URL calculation to a helper function
Kim Alvefur <zash@zash.se> [Sun, 05 Mar 2023 12:38:20 +0100] rev 5210
mod_http_oauth2: Clarify comment referencing mod_http_errors (thanks MattJ)
Must have typed text/plain twice by accident here.
Kim Alvefur <zash@zash.se> [Sat, 04 Mar 2023 23:36:13 +0100] rev 5209
mod_http_oauth2: Specify host for which to retrieve list of roles
Fixes core/usermanager.lua:299: attempt to index a nil value (field '?')