search

aaronpk / indielogin.com

Sign in with your domain name
https://indielogin.com
MIT License
149 stars 24 forks source link

301 redirect turns post requests to get requests #78

Closed u0nel closed 2 years ago

u0nel commented 2 years ago

If the authorization endpoint link points to an http// link, which redirects to https://, the POST request is changed to a GET request wich will fail, because it is missing the client_id parameter. This violates the spec:

When automatically redirecting a POST request after receiving a 301 status code, some existing HTTP/1.0 user agents will erroneously change it into a GET request.

aaronpk commented 2 years ago

TIL curl has the same behavior of browsers in converting a POST to a GET on a redirect, as described by RFC7231

(Note that RFC7231 describes the situation as it is in practice where browsers may do this, whereas the older RFC2616 was more strict. RFC7231 also suggests that servers use HTTP 307 to indicate that the client must not change the HTTP method.)

In any case, I don't like the behavior of changing the HTTP method so I've pushed a fix that will prevent it doing that in the future.

But also it's a bad idea to link to the http version of your authorization endpoint so I would recommend updating that link to https as well.

u0nel commented 2 years ago

But also it's a bad idea to link to the http version of your authorization endpoint so I would recommend updating that link to https as well.

Yep, I forgot to change it after I generated the certificate.