Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5646:d67980d9e12d
mod_http_oauth2: Apply refresh token ttl to refresh token instead of grant
The intent in 59d5fc50f602 was for refresh tokens to extend the lifetime
of the grant, but the refresh token ttl was applied to the grant and
mod_tokenauth does not change it, leading to the grant expiring
regardless of refresh token usage.
This makes grant lifetimes unlimited, which seems to be standard
practice in the wild.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Mon, 11 Sep 2023 10:48:31 +0200 |
parents | 73c3d5bfce3e |
children | bbde136a4c29 |
comparison
equal
deleted
inserted
replaced
5645:f16edebb1305 | 5646:d67980d9e12d |
---|---|
270 end | 270 end |
271 | 271 |
272 local grant = refresh_token_info and refresh_token_info.grant; | 272 local grant = refresh_token_info and refresh_token_info.grant; |
273 if not grant then | 273 if not grant then |
274 -- No existing grant, create one | 274 -- No existing grant, create one |
275 grant = tokens.create_grant(token_jid, token_jid, default_refresh_ttl, token_data); | 275 grant = tokens.create_grant(token_jid, token_jid, nil, token_data); |
276 end | 276 end |
277 | 277 |
278 if refresh_token_info then | 278 if refresh_token_info then |
279 -- out with the old refresh tokens | 279 -- out with the old refresh tokens |
280 local ok, err = tokens.revoke_token(refresh_token_info.token); | 280 local ok, err = tokens.revoke_token(refresh_token_info.token); |
282 module:log("error", "Could not revoke refresh token: %s", err); | 282 module:log("error", "Could not revoke refresh token: %s", err); |
283 return 500; | 283 return 500; |
284 end | 284 end |
285 end | 285 end |
286 -- in with the new refresh token | 286 -- in with the new refresh token |
287 local refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant.id, nil, nil, "oauth2-refresh"); | 287 local refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant.id, nil, default_refresh_ttl, "oauth2-refresh"); |
288 | 288 |
289 if role == "xmpp" then | 289 if role == "xmpp" then |
290 -- Special scope meaning the users default role. | 290 -- Special scope meaning the users default role. |
291 local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host); | 291 local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host); |
292 role = user_default_role and user_default_role.name; | 292 role = user_default_role and user_default_role.name; |