annotate mod_csi_grace_period/mod_csi_grace_period.lua @ 5616:59d5fc50f602

mod_http_oauth2: Implement refresh token rotation Makes refresh tokens one-time-use, handing out a new refresh token with each access token. Thus if a refresh token is stolen and used by an attacker, the next time the legitimate client tries to use the previous refresh token, it will not work and the attack will be noticed. If the attacker does not use the refresh token, it becomes invalid after the legitimate client uses it. This behavior is recommended by draft-ietf-oauth-security-topics
author Kim Alvefur <zash@zash.se>
date Sun, 23 Jul 2023 02:56:08 +0200
parents e1e337dc05b6
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3507
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- Copyright (c) 2019 Kim Alvefur
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 --
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 -- This project is MIT/X11 licensed. Please see the
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 -- COPYING file in the source package for more information.
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 --
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 -- Yes, this module touches stores data in user sessions
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 -- luacheck: ignore 122
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 local grace_period = module:get_option_number("grace_period", 30);
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 local user_sessions = prosody.hosts[module.host].sessions;
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 module:hook("csi-is-stanza-important", function (event)
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 if event.stanza.name ~= "message" then return end
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 local session = event.session;
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 if not session then return; end
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 local user_session = user_sessions[session.username];
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 if not user_session then return; end
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20
3680
7570976318a9 mod_csi_grace_period: Fix to store state on correct table
Kim Alvefur <zash@zash.se>
parents: 3507
diff changeset
21 if user_session.grace_time_start then
7570976318a9 mod_csi_grace_period: Fix to store state on correct table
Kim Alvefur <zash@zash.se>
parents: 3507
diff changeset
22 if user_session.last_active == session.resource then
3507
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 return;
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 end
3680
7570976318a9 mod_csi_grace_period: Fix to store state on correct table
Kim Alvefur <zash@zash.se>
parents: 3507
diff changeset
25 if (os.time() - user_session.grace_time_start) < grace_period then
3507
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 session.log("debug", "Within grace period, probably seen");
4013
e1e337dc05b6 mod_csi_grace_period: Report reason for importance decision
Kim Alvefur <zash@zash.se>
parents: 3680
diff changeset
27 event.reason = "grace period";
3507
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 return false;
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 end
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 end
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 end, 1);
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 local function on_activity(event)
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 local stanza, origin = event.stanza, event.origin;
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 local user_session = user_sessions[origin.username];
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 if not user_session then return; end
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 if stanza:get_child("body") or stanza:get_child("active", "http://jabber.org/protocol/chatstates") then
3680
7570976318a9 mod_csi_grace_period: Fix to store state on correct table
Kim Alvefur <zash@zash.se>
parents: 3507
diff changeset
39 user_session.last_active = origin.resource;
7570976318a9 mod_csi_grace_period: Fix to store state on correct table
Kim Alvefur <zash@zash.se>
parents: 3507
diff changeset
40 user_session.grace_time_start = os.time();
3507
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 end
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 end
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 module:hook("pre-message/full", on_activity);
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 module:hook("pre-message/bare", on_activity);
5c37d759b1e2 mod_csi_grace_period: Server-side grace period logic for CSI
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 module:hook("pre-message/host", on_activity);