liquid_feedback_frontend

changeset 1514:3fcae27c2709

find changesets by author, revision, files, or words in the commit message
Allow disabling certificate check for native mobile apps
author bsw
date Thu Aug 20 14:01:15 2020 +0200 (2020-08-20)
parents 895d327a3cb1
children 6077545667ec
files app/main/oauth2/token.lua
line diff
     1.1 --- a/app/main/oauth2/token.lua	Thu Aug 20 13:50:03 2020 +0200
     1.2 +++ b/app/main/oauth2/token.lua	Thu Aug 20 14:01:15 2020 +0200
     1.3 @@ -57,20 +57,25 @@
     1.4    local cert_ca = request.get_header("X-LiquidFeedback-CA")
     1.5    local cert_distinguished_name = request.get_header("X-SSL-DN")
     1.6    local cert_common_name
     1.7 -  if cert_distinguished_name then
     1.8 -    cert_common_name = string.match(cert_distinguished_name, "%f[^/\0]CN=([A-Za-z0-9_.-]+)%f[/\0]")
     1.9 -    if not cert_common_name then
    1.10 -      return error_result("invalid_client", "CN in X.509 certificate invalid")
    1.11 +
    1.12 +  if not token.system_application or token.system_application.cert_common_name then
    1.13 +    if cert_distinguished_name then
    1.14 +      cert_common_name = string.match(cert_distinguished_name, "%f[^/\0]CN=([A-Za-z0-9_.-]+)%f[/\0]")
    1.15 +      if not cert_common_name then
    1.16 +        return error_result("invalid_client", "CN in X.509 certificate invalid")
    1.17 +      end
    1.18 +    else
    1.19 +      return error_result("invalid_client", "X.509 client authorization missing")
    1.20      end
    1.21 -  else
    1.22 -    return error_result("invalid_client", "X.509 client authorization missing")
    1.23    end
    1.24    if token.system_application then
    1.25 -    if cert_ca ~= "private" then
    1.26 -      return error_result("invalid_client", "X.509 certificate not signed by private certificate authority or wrong endpoint used")
    1.27 -    end
    1.28 -    if cert_common_name ~= token.system_application.cert_common_name then
    1.29 -      return error_result("invalid_grant", "CN in X.509 certificate incorrect")
    1.30 +    if token.system_application.cert_common_name then
    1.31 +      if cert_ca ~= "private" then
    1.32 +        return error_result("invalid_client", "X.509 certificate not signed by private certificate authority or wrong endpoint used")
    1.33 +      end
    1.34 +      if cert_common_name ~= token.system_application.cert_common_name then
    1.35 +        return error_result("invalid_grant", "CN in X.509 certificate incorrect")
    1.36 +      end
    1.37      end
    1.38    else
    1.39      if cert_ca ~= "public" then

Impressum / About Us