# HG changeset patch
# User bsw
# Date 1597924875 -7200
# Node ID 3fcae27c2709dff14d704694117c6ded9c055a47
# Parent  895d327a3cb14754298798e8bf7cbc49b21a8ffb
Allow disabling certificate check for native mobile apps

diff -r 895d327a3cb1 -r 3fcae27c2709 app/main/oauth2/token.lua
--- a/app/main/oauth2/token.lua	Thu Aug 20 13:50:03 2020 +0200
+++ b/app/main/oauth2/token.lua	Thu Aug 20 14:01:15 2020 +0200
@@ -57,20 +57,25 @@
   local cert_ca = request.get_header("X-LiquidFeedback-CA")
   local cert_distinguished_name = request.get_header("X-SSL-DN")
   local cert_common_name
-  if cert_distinguished_name then
-    cert_common_name = string.match(cert_distinguished_name, "%f[^/\0]CN=([A-Za-z0-9_.-]+)%f[/\0]")
-    if not cert_common_name then
-      return error_result("invalid_client", "CN in X.509 certificate invalid")
+
+  if not token.system_application or token.system_application.cert_common_name then
+    if cert_distinguished_name then
+      cert_common_name = string.match(cert_distinguished_name, "%f[^/\0]CN=([A-Za-z0-9_.-]+)%f[/\0]")
+      if not cert_common_name then
+        return error_result("invalid_client", "CN in X.509 certificate invalid")
+      end
+    else
+      return error_result("invalid_client", "X.509 client authorization missing")
     end
-  else
-    return error_result("invalid_client", "X.509 client authorization missing")
   end
   if token.system_application then
-    if cert_ca ~= "private" then
-      return error_result("invalid_client", "X.509 certificate not signed by private certificate authority or wrong endpoint used")
-    end
-    if cert_common_name ~= token.system_application.cert_common_name then
-      return error_result("invalid_grant", "CN in X.509 certificate incorrect")
+    if token.system_application.cert_common_name then
+      if cert_ca ~= "private" then
+        return error_result("invalid_client", "X.509 certificate not signed by private certificate authority or wrong endpoint used")
+      end
+      if cert_common_name ~= token.system_application.cert_common_name then
+        return error_result("invalid_grant", "CN in X.509 certificate incorrect")
+      end
     end
   else
     if cert_ca ~= "public" then