OAuth 2.0 authorization and token exchange
Enforce TLS verification at runtime in exchange_code/refresh_token
Add Requests.verify_tls getter to inspect the TLS setting on a
client handle. Oauth.post_token_endpoint now checks verify_tls and
raises Invalid_argument if certificate verification is disabled,
turning a documentation precondition into a runtime enforcement.
+8
-4
+3
lib/oauth.ml
+3
lib/oauth.ml
···
391
391
]
392
392
393
393
let post_token_endpoint http provider form_str =
394
+
if not (Requests.verify_tls http) then
395
+
invalid_arg
396
+
"Oauth: Requests.t handle must have TLS certificate verification enabled";
394
397
let url = token_url provider in
395
398
let body = Requests.Body.text form_str in
396
399
let resp = Requests.post http url ~body ~headers:token_headers in
+5
-4
lib/oauth.mli
+5
-4
lib/oauth.mli
···
253
253
254
254
When [~code_verifier] is provided, it is included per RFC 7636 §4.5.
255
255
256
-
[http] must have TLS certificate verification enabled (the default for
257
-
{!Requests.create}). Passing a handle with [~verify_tls:false] voids the
258
-
transport security guarantee. *)
256
+
@raise Invalid_argument
257
+
if [http] has TLS certificate verification disabled. {!Requests.create}
258
+
enables it by default. *)
259
259
260
260
val refresh_token :
261
261
Requests.t ->
···
268
268
refreshes an access token by POSTing to the provider's token endpoint (RFC
269
269
6749 §6).
270
270
271
-
Same TLS requirement as {!exchange_code}. *)
271
+
@raise Invalid_argument
272
+
if TLS verification is disabled (same as {!exchange_code}). *)
272
273
273
274
val parse_token_response : string -> (token_response, parse_token_error) result
274
275
(** [parse_token_response body] parses a JSON token response body. *)