Mon, 06 Mar 2023 16:53:27 +0100 mod_http_oauth2: Remove authorization codes after use
Kim Alvefur <zash@zash.se> [Mon, 06 Mar 2023 16:53:27 +0100] rev 5218
mod_http_oauth2: Remove authorization codes after use RFC 6749 section 4.1.2 says: > The client MUST NOT use the authorization code more than once. Thus we clear it from the cache after use.
Mon, 06 Mar 2023 16:49:43 +0100 mod_http_oauth2: Fix authorization code logic
Kim Alvefur <zash@zash.se> [Mon, 06 Mar 2023 16:49:43 +0100] rev 5217
mod_http_oauth2: Fix authorization code logic I have no idea what it did before or if it even worked. RFC 6749 section 4.1.2 says: > A maximum authorization code lifetime of 10 minutes is RECOMMENDED. So this should prevent use of codes older than 10 minutes and remove them from the cache some time after they expire.
Mon, 06 Mar 2023 15:55:11 +0100 mod_http_oauth2: Include html templates in package for plugin installer
Kim Alvefur <zash@zash.se> [Mon, 06 Mar 2023 15:55:11 +0100] rev 5216
mod_http_oauth2: Include html templates in package for plugin installer luarocks needs this extra metadata
Thu, 23 Feb 2023 00:30:59 +0100 mod_conversejs: This one weird trick updates options on reload
Kim Alvefur <zash@zash.se> [Thu, 23 Feb 2023 00:30:59 +0100] rev 5215
mod_conversejs: This one weird trick updates options on reload Options queried from the config in get_converse_options() would take effect immediately after Prosody reloads the config. Including 'conversejs_options' in this behaviour by simply moving a line seems worth it.
Mon, 06 Mar 2023 10:37:43 +0000 mod_http_oauth2: Switch to '303 See Other' redirects
Matthew Wild <mwild1@gmail.com> [Mon, 06 Mar 2023 10:37:43 +0000] rev 5214
mod_http_oauth2: Switch to '303 See Other' redirects This is the recommendation by draft-ietf-oauth-v2-1-07 section 7.5.2. It is the only redirect code that guarantees the user agent will use a GET request, rather than re-submitting a POST request to the new URL. The latter would be bad for us, as we are encoding auth tokens in the form data.
Mon, 06 Mar 2023 10:29:14 +0000 mod_http_oauth2: Allow non-HTTPS on localhost URLs
Matthew Wild <mwild1@gmail.com> [Mon, 06 Mar 2023 10:29:14 +0000] rev 5213
mod_http_oauth2: Allow non-HTTPS on localhost URLs This is the recommended behaviour (draft-ietf-oauth-v2-1-07 section 7.5.1).
Mon, 06 Mar 2023 09:46:58 +0000 mod_http_oauth2: Add authentication, consent and error pages
Matthew Wild <mwild1@gmail.com> [Mon, 06 Mar 2023 09:46:58 +0000] rev 5212
mod_http_oauth2: Add authentication, consent and error pages
Mon, 06 Mar 2023 09:40:17 +0000 mod_http_oauth: Factor out issuer URL calculation to a helper function
Matthew Wild <mwild1@gmail.com> [Mon, 06 Mar 2023 09:40:17 +0000] rev 5211
mod_http_oauth: Factor out issuer URL calculation to a helper function
Sun, 05 Mar 2023 12:38:20 +0100 mod_http_oauth2: Clarify comment referencing mod_http_errors (thanks MattJ)
Kim Alvefur <zash@zash.se> [Sun, 05 Mar 2023 12:38:20 +0100] rev 5210
mod_http_oauth2: Clarify comment referencing mod_http_errors (thanks MattJ) Must have typed text/plain twice by accident here.
Sat, 04 Mar 2023 23:36:13 +0100 mod_http_oauth2: Specify host for which to retrieve list of roles
Kim Alvefur <zash@zash.se> [Sat, 04 Mar 2023 23:36:13 +0100] rev 5209
mod_http_oauth2: Specify host for which to retrieve list of roles Fixes core/usermanager.lua:299: attempt to index a nil value (field '?')
(0) -3000 -1000 -300 -100 -10 +10 +100 +300 tip