liquid_feedback_frontend

diff app/main/oauth2/register.lua @ 1309:32cc544d5a5b

find changesets by author, revision, files, or words in the commit message
Cumulative patch for upcoming frontend version 4
author bsw/jbe
date Sun Jul 15 14:07:29 2018 +0200 (2018-07-15)
parents
children
line diff
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/app/main/oauth2/register.lua	Sun Jul 15 14:07:29 2018 +0200
     1.3 @@ -0,0 +1,77 @@
     1.4 +if not request.is_post() then
     1.5 +  return execute.view { module = "index", view = "405" }
     1.6 +end
     1.7 +
     1.8 +slot.set_layout(nil, "application/json;charset=UTF-8")
     1.9 +
    1.10 +local r = json.object()
    1.11 +
    1.12 +local function error_result(error_code, error_description)
    1.13 +  -- TODO special HTTP status codes for some errors?
    1.14 +  request.set_status("400 Bad Request")
    1.15 +  slot.put_into("data", json.export{ 
    1.16 +    error = error_code,
    1.17 +    error_description = error_description
    1.18 +  })
    1.19 +end
    1.20 +
    1.21 +local client_id = param.get("client_id")
    1.22 +local flow = param.get("flow")
    1.23 +local scope = param.get("scope")
    1.24 +
    1.25 +if flow ~= "code" and flow ~= "token" then
    1.26 +  return error_result("invalid_request", "invalid flow")
    1.27 +end
    1.28 +
    1.29 +local domain
    1.30 +
    1.31 +if client_id then
    1.32 +  domain = string.match(client_id, "^dynamic:([a-z0-9.-]+)$")
    1.33 +  if not domain then
    1.34 +    return error_result("invalid_client", "invalid client_id (use lower case host name prefixed with 'dynamic:')")
    1.35 +  end
    1.36 +end
    1.37 +
    1.38 +local cert_ca = request.get_header("X-LiquidFeedback-CA")
    1.39 +local cert_distinguished_name = request.get_header("X-SSL-DN")
    1.40 +local cert_common_name
    1.41 +
    1.42 +if cert_distinguished_name then
    1.43 +  cert_common_name = string.match(cert_distinguished_name, "%f[^/\0]CN=([A-Za-z0-9_.-]+)%f[/\0]")
    1.44 +  if not cert_common_name then
    1.45 +    return error_result("invalid_client", "CN in X.509 certificate invalid")
    1.46 +  end
    1.47 +else
    1.48 +  return error_result("invalid_client", "X.509 client authorization missing")
    1.49 +end
    1.50 +
    1.51 +if cert_ca ~= "public" then
    1.52 +  return error_result("invalid_client", "X.509 certificate not signed by publicly trusted certificate authority or wrong endpoint used")
    1.53 +end
    1.54 +
    1.55 +if domain then
    1.56 +  if domain ~= cert_common_name then
    1.57 +    return error_result("invalid_grant", "CN in X.509 certificate incorrect")
    1.58 +  end
    1.59 +else
    1.60 +  domain = cert_common_name
    1.61 +end
    1.62 +
    1.63 +local redirect_uri = "https://" .. domain .. "/" .. config.oauth2.endpoint_magic
    1.64 +
    1.65 +local expiry = db:query({ "SELECT now() + (? || 'sec')::interval AS expiry", config.oauth2.dynamic_registration_lifetime }, "object").expiry
    1.66 +  
    1.67 +for s in string.gmatch(scope, "[^ ]+") do
    1.68 +  local dynamic_application_scope = DynamicApplicationScope:new()
    1.69 +  dynamic_application_scope.redirect_uri = redirect_uri
    1.70 +  dynamic_application_scope.flow = flow
    1.71 +  dynamic_application_scope.scope = s
    1.72 +  dynamic_application_scope.expiry = expiry
    1.73 +  dynamic_application_scope:upsert_mode()
    1.74 +  dynamic_application_scope:save()
    1.75 +end
    1.76 +
    1.77 +r.client_id = "dynamic:" .. domain
    1.78 +r.expires_in = config.oauth2.dynamic_registration_lifetime
    1.79 +
    1.80 +slot.put_into("data", json.export(r))

Impressum / About Us