Lua runtime error when the Host header is not set

[edmorley]

I spotted this in the nginx error log (using lua-resty-openidc 1.3.2-1 and openresty 1.11.2.3):

2017/06/03 00:18:17 [error] 17499#17499: *76717 lua entry thread aborted: runtime error: /usr/share/lua/5.1/resty/openidc.lua:139: attempt to concatenate field 'http_host' (a nil value)
stack traceback:
coroutine 0:
        /usr/share/lua/5.1/resty/openidc.lua: in function 'openidc_get_redirect_uri'
        /usr/share/lua/5.1/resty/openidc.lua:173: in function 'openidc_authorize'
        /usr/share/lua/5.1/resty/openidc.lua:642: in function 'authenticate'
        .../local/openresty/nginx/conf/SNIP/openidc_layer.lua:27: in function <.../local/openresty/nginx/conf/SNIP/openidc_layer.lua:1>, client: SNIP, server: , request: "GET /scripts/nph-test-cgi?* HTTP/1.0"

Looks like someone was running a scanner against the site, which wasn't setting the Host header.

Presumably this should be null-checked before use?

[zandbelt]

Possibly, to improve error logging. I do believe the net result would be the same: abort the request.

I'd appreciate a PR for this type of thing, there's probably a couple more of these.

[edmorley]

Possibly, to improve error logging. I do believe the net result would be the same: abort the request.

In addition to less noisy logging, I think responding with an HTTP 400 would be preferred, rather than an HTTP 500?

[edmorley]

Sorry I didn't get a spare moment to open a PR - many thanks for fixing this!