comparison mod_http_oauth2/mod_http_oauth2.lua @ 5550:4fda06be6b08

mod_http_oauth2: Make note about handling repeated RFC 6749 states > If an authorization code is used more than once, the authorization > server MUST deny the request and SHOULD revoke (when possible) all > tokens previously issued based on that authorization code. We should follow the SHOULD. The MUST is already covered by removing the code state from the cache.
author Kim Alvefur <zash@zash.se>
date Fri, 16 Jun 2023 00:10:46 +0200
parents 01a0b67a9afd
children 67152838afbc
comparison
equal deleted inserted replaced
5549:01a0b67a9afd 5550:4fda06be6b08
461 end 461 end
462 local code, err = codes:get(params.client_id .. "#" .. params.code); 462 local code, err = codes:get(params.client_id .. "#" .. params.code);
463 if err then error(err); end 463 if err then error(err); end
464 -- MUST NOT use the authorization code more than once, so remove it to 464 -- MUST NOT use the authorization code more than once, so remove it to
465 -- prevent a second attempted use 465 -- prevent a second attempted use
466 -- TODO if a second attempt *is* made, revoke any tokens issued
466 codes:set(params.client_id .. "#" .. params.code, nil); 467 codes:set(params.client_id .. "#" .. params.code, nil);
467 if not code or type(code) ~= "table" or code_expired(code) then 468 if not code or type(code) ~= "table" or code_expired(code) then
468 module:log("debug", "authorization_code invalid or expired: %q", code); 469 module:log("debug", "authorization_code invalid or expired: %q", code);
469 return oauth_error("invalid_client", "incorrect credentials"); 470 return oauth_error("invalid_client", "incorrect credentials");
470 end 471 end