comparison mod_http_oauth2/mod_http_oauth2.lua @ 5214:d5492bc861f6

mod_http_oauth2: Remove authorization codes after use RFC 6749 section 4.1.2 says: > The client MUST NOT use the authorization code more than once. Thus we clear it from the cache after use.
author Kim Alvefur <zash@zash.se>
date Mon, 06 Mar 2023 16:53:27 +0100
parents dc0f502c12f1
children 6a27effb3ef0
comparison
equal deleted inserted replaced
5213:dc0f502c12f1 5214:d5492bc861f6
263 module:log("debug", "client_secret mismatch"); 263 module:log("debug", "client_secret mismatch");
264 return oauth_error("invalid_client", "incorrect credentials"); 264 return oauth_error("invalid_client", "incorrect credentials");
265 end 265 end
266 local code, err = codes:get(params.client_id .. "#" .. params.code); 266 local code, err = codes:get(params.client_id .. "#" .. params.code);
267 if err then error(err); end 267 if err then error(err); end
268 -- MUST NOT use the authorization code more than once, so remove it to
269 -- prevent a second attempted use
270 codes:set(params.client_id .. "#" .. params.code, nil);
268 if not code or type(code) ~= "table" or code_expired(code) then 271 if not code or type(code) ~= "table" or code_expired(code) then
269 module:log("debug", "authorization_code invalid or expired: %q", code); 272 module:log("debug", "authorization_code invalid or expired: %q", code);
270 return oauth_error("invalid_client", "incorrect credentials"); 273 return oauth_error("invalid_client", "incorrect credentials");
271 end 274 end
272 275