Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5243:d5dc8edb2695
mod_http_oauth2: Use more compact IDs
UUIDs are nice but so verbose!
The reduction in entropy for the nonce should be fine since the
timestamp is also counts towards this, and it changes every second
(modulo clock shenanigans), so the chances of someone managing to get
the same client_secret by registering with the same information at the
same time as another entity should be negligible.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 11 Mar 2023 22:46:27 +0100 |
| parents | 4746609a6656 |
| children | fa7bd721a3f6 |
comparison
equal
deleted
inserted
replaced
| 5242:4746609a6656 | 5243:d5dc8edb2695 |
|---|---|
| 4 local jid = require "util.jid"; | 4 local jid = require "util.jid"; |
| 5 local json = require "util.json"; | 5 local json = require "util.json"; |
| 6 local usermanager = require "core.usermanager"; | 6 local usermanager = require "core.usermanager"; |
| 7 local errors = require "util.error"; | 7 local errors = require "util.error"; |
| 8 local url = require "socket.url"; | 8 local url = require "socket.url"; |
| 9 local uuid = require "util.uuid"; | 9 local id = require "util.id"; |
| 10 local encodings = require "util.encodings"; | 10 local encodings = require "util.encodings"; |
| 11 local base64 = encodings.base64; | 11 local base64 = encodings.base64; |
| 12 local random = require "util.random"; | 12 local random = require "util.random"; |
| 13 local schema = require "util.jsonschema"; | 13 local schema = require "util.jsonschema"; |
| 14 local set = require "util.set"; | 14 local set = require "util.set"; |
| 183 | 183 |
| 184 function response_type_handlers.code(client, params, granted_jid) | 184 function response_type_handlers.code(client, params, granted_jid) |
| 185 local request_username, request_host = jid.split(granted_jid); | 185 local request_username, request_host = jid.split(granted_jid); |
| 186 local granted_scopes = filter_scopes(request_username, request_host, params.scope); | 186 local granted_scopes = filter_scopes(request_username, request_host, params.scope); |
| 187 | 187 |
| 188 local code = uuid.generate(); | 188 local code = id.medium(); |
| 189 local ok = codes:set(params.client_id .. "#" .. code, { | 189 local ok = codes:set(params.client_id .. "#" .. code, { |
| 190 expires = os.time() + 600; | 190 expires = os.time() + 600; |
| 191 granted_jid = granted_jid; | 191 granted_jid = granted_jid; |
| 192 granted_scopes = granted_scopes; | 192 granted_scopes = granted_scopes; |
| 193 }); | 193 }); |
| 622 return oauth_error("invalid_request", "Informative URI must match redirect URIs"); | 622 return oauth_error("invalid_request", "Informative URI must match redirect URIs"); |
| 623 end | 623 end |
| 624 end | 624 end |
| 625 end | 625 end |
| 626 | 626 |
| 627 -- Ensure each signed client_id JWT is unique | 627 -- Ensure each signed client_id JWT is unique, short ID and issued at |
| 628 client_metadata.nonce = uuid.generate(); | 628 -- timestamp should be sufficient to rule out brute force attacks |
| 629 client_metadata.nonce = id.short(); | |
| 629 | 630 |
| 630 -- Do we want to keep everything? | 631 -- Do we want to keep everything? |
| 631 local client_id = jwt_sign(client_metadata); | 632 local client_id = jwt_sign(client_metadata); |
| 632 local client_secret = make_secret(client_id); | 633 local client_secret = make_secret(client_id); |
| 633 | 634 |