Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5213:dc0f502c12f1
mod_http_oauth2: Fix authorization code logic
I have no idea what it did before or if it even worked.
RFC 6749 section 4.1.2 says:
> A maximum authorization code lifetime of 10 minutes is RECOMMENDED.
So this should prevent use of codes older than 10 minutes and remove
them from the cache some time after they expire.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 06 Mar 2023 16:49:43 +0100 |
| parents | 898575a0c6f3 |
| children | d5492bc861f6 |
comparison
equal
deleted
inserted
replaced
| 5212:3235b8bd1e55 | 5213:dc0f502c12f1 |
|---|---|
| 88 end | 88 end |
| 89 | 89 |
| 90 return usermanager.get_user_role(username, module.host).name; | 90 return usermanager.get_user_role(username, module.host).name; |
| 91 end | 91 end |
| 92 | 92 |
| 93 local function code_expires_in(code) | 93 local function code_expires_in(code) --> number, seconds until code expires |
| 94 return os.difftime(os.time(), code.issued); | 94 return os.difftime(code.expires, os.time()); |
| 95 end | 95 end |
| 96 | 96 |
| 97 local function code_expired(code) | 97 local function code_expired(code) --> boolean, true: has expired, false: still valid |
| 98 return code_expires_in(code) > 120; | 98 return code_expires_in(code) < 0; |
| 99 end | 99 end |
| 100 | 100 |
| 101 local codes = cache.new(10000, function (_, code) | 101 local codes = cache.new(10000, function (_, code) |
| 102 return code_expired(code) | 102 return code_expired(code) |
| 103 end); | 103 end); |
| 104 | 104 |
| 105 -- Periodically clear out unredeemed codes. Does not need to be exact, expired | |
| 106 -- codes are rejected if tried. Mostly just to keep memory usage in check. | |
| 105 module:add_timer(900, function() | 107 module:add_timer(900, function() |
| 106 local k, code = codes:tail(); | 108 local k, code = codes:tail(); |
| 107 while code and code_expired(code) do | 109 while code and code_expired(code) do |
| 108 codes:set(k, nil); | 110 codes:set(k, nil); |
| 109 k, code = codes:tail(); | 111 k, code = codes:tail(); |
| 174 local request_username, request_host = jid.split(granted_jid); | 176 local request_username, request_host = jid.split(granted_jid); |
| 175 local granted_scopes = filter_scopes(request_username, request_host, params.scope); | 177 local granted_scopes = filter_scopes(request_username, request_host, params.scope); |
| 176 | 178 |
| 177 local code = uuid.generate(); | 179 local code = uuid.generate(); |
| 178 local ok = codes:set(params.client_id .. "#" .. code, { | 180 local ok = codes:set(params.client_id .. "#" .. code, { |
| 179 issued = os.time(); | 181 expires = os.time() + 600; |
| 180 granted_jid = granted_jid; | 182 granted_jid = granted_jid; |
| 181 granted_scopes = granted_scopes; | 183 granted_scopes = granted_scopes; |
| 182 }); | 184 }); |
| 183 if not ok then | 185 if not ok then |
| 184 return {status_code = 429}; | 186 return {status_code = 429}; |