Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5550:4fda06be6b08
mod_http_oauth2: Make note about handling repeated
RFC 6749 states
> If an authorization code is used more than once, the authorization
> server MUST deny the request and SHOULD revoke (when possible) all
> tokens previously issued based on that authorization code.
We should follow the SHOULD.
The MUST is already covered by removing the code state from the cache.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 16 Jun 2023 00:10:46 +0200 |
parents | 01a0b67a9afd |
children | 67152838afbc |
comparison
equal
deleted
inserted
replaced
5549:01a0b67a9afd | 5550:4fda06be6b08 |
---|---|
461 end | 461 end |
462 local code, err = codes:get(params.client_id .. "#" .. params.code); | 462 local code, err = codes:get(params.client_id .. "#" .. params.code); |
463 if err then error(err); end | 463 if err then error(err); end |
464 -- MUST NOT use the authorization code more than once, so remove it to | 464 -- MUST NOT use the authorization code more than once, so remove it to |
465 -- prevent a second attempted use | 465 -- prevent a second attempted use |
466 -- TODO if a second attempt *is* made, revoke any tokens issued | |
466 codes:set(params.client_id .. "#" .. params.code, nil); | 467 codes:set(params.client_id .. "#" .. params.code, nil); |
467 if not code or type(code) ~= "table" or code_expired(code) then | 468 if not code or type(code) ~= "table" or code_expired(code) then |
468 module:log("debug", "authorization_code invalid or expired: %q", code); | 469 module:log("debug", "authorization_code invalid or expired: %q", code); |
469 return oauth_error("invalid_client", "incorrect credentials"); | 470 return oauth_error("invalid_client", "incorrect credentials"); |
470 end | 471 end |