liquid_feedback_frontend
changeset 1514:3fcae27c2709
Allow disabling certificate check for native mobile apps
author | bsw |
---|---|
date | Thu Aug 20 14:01:15 2020 +0200 (2020-08-20) |
parents | 895d327a3cb1 |
children | 6077545667ec |
files | app/main/oauth2/token.lua |
line diff
1.1 --- a/app/main/oauth2/token.lua Thu Aug 20 13:50:03 2020 +0200 1.2 +++ b/app/main/oauth2/token.lua Thu Aug 20 14:01:15 2020 +0200 1.3 @@ -57,20 +57,25 @@ 1.4 local cert_ca = request.get_header("X-LiquidFeedback-CA") 1.5 local cert_distinguished_name = request.get_header("X-SSL-DN") 1.6 local cert_common_name 1.7 - if cert_distinguished_name then 1.8 - cert_common_name = string.match(cert_distinguished_name, "%f[^/\0]CN=([A-Za-z0-9_.-]+)%f[/\0]") 1.9 - if not cert_common_name then 1.10 - return error_result("invalid_client", "CN in X.509 certificate invalid") 1.11 + 1.12 + if not token.system_application or token.system_application.cert_common_name then 1.13 + if cert_distinguished_name then 1.14 + cert_common_name = string.match(cert_distinguished_name, "%f[^/\0]CN=([A-Za-z0-9_.-]+)%f[/\0]") 1.15 + if not cert_common_name then 1.16 + return error_result("invalid_client", "CN in X.509 certificate invalid") 1.17 + end 1.18 + else 1.19 + return error_result("invalid_client", "X.509 client authorization missing") 1.20 end 1.21 - else 1.22 - return error_result("invalid_client", "X.509 client authorization missing") 1.23 end 1.24 if token.system_application then 1.25 - if cert_ca ~= "private" then 1.26 - return error_result("invalid_client", "X.509 certificate not signed by private certificate authority or wrong endpoint used") 1.27 - end 1.28 - if cert_common_name ~= token.system_application.cert_common_name then 1.29 - return error_result("invalid_grant", "CN in X.509 certificate incorrect") 1.30 + if token.system_application.cert_common_name then 1.31 + if cert_ca ~= "private" then 1.32 + return error_result("invalid_client", "X.509 certificate not signed by private certificate authority or wrong endpoint used") 1.33 + end 1.34 + if cert_common_name ~= token.system_application.cert_common_name then 1.35 + return error_result("invalid_grant", "CN in X.509 certificate incorrect") 1.36 + end 1.37 end 1.38 else 1.39 if cert_ca ~= "public" then