Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5214:d5492bc861f6
mod_http_oauth2: Remove authorization codes after use
RFC 6749 section 4.1.2 says:
> The client MUST NOT use the authorization code more than once.
Thus we clear it from the cache after use.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 06 Mar 2023 16:53:27 +0100 |
| parents | dc0f502c12f1 |
| children | 6a27effb3ef0 |
comparison
equal
deleted
inserted
replaced
| 5213:dc0f502c12f1 | 5214:d5492bc861f6 |
|---|---|
| 263 module:log("debug", "client_secret mismatch"); | 263 module:log("debug", "client_secret mismatch"); |
| 264 return oauth_error("invalid_client", "incorrect credentials"); | 264 return oauth_error("invalid_client", "incorrect credentials"); |
| 265 end | 265 end |
| 266 local code, err = codes:get(params.client_id .. "#" .. params.code); | 266 local code, err = codes:get(params.client_id .. "#" .. params.code); |
| 267 if err then error(err); end | 267 if err then error(err); end |
| 268 -- MUST NOT use the authorization code more than once, so remove it to | |
| 269 -- prevent a second attempted use | |
| 270 codes:set(params.client_id .. "#" .. params.code, nil); | |
| 268 if not code or type(code) ~= "table" or code_expired(code) then | 271 if not code or type(code) ~= "table" or code_expired(code) then |
| 269 module:log("debug", "authorization_code invalid or expired: %q", code); | 272 module:log("debug", "authorization_code invalid or expired: %q", code); |
| 270 return oauth_error("invalid_client", "incorrect credentials"); | 273 return oauth_error("invalid_client", "incorrect credentials"); |
| 271 end | 274 end |
| 272 | 275 |