diff mod_http_oauth2/mod_http_oauth2.lua @ 5213:dc0f502c12f1

mod_http_oauth2: Fix authorization code logic I have no idea what it did before or if it even worked. RFC 6749 section 4.1.2 says: > A maximum authorization code lifetime of 10 minutes is RECOMMENDED. So this should prevent use of codes older than 10 minutes and remove them from the cache some time after they expire.
author Kim Alvefur <zash@zash.se>
date Mon, 06 Mar 2023 16:49:43 +0100
parents 898575a0c6f3
children d5492bc861f6
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Mar 06 15:55:11 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Mar 06 16:49:43 2023 +0100
@@ -90,18 +90,20 @@
 	return usermanager.get_user_role(username, module.host).name;
 end
 
-local function code_expires_in(code)
-	return os.difftime(os.time(), code.issued);
+local function code_expires_in(code) --> number, seconds until code expires
+	return os.difftime(code.expires, os.time());
 end
 
-local function code_expired(code)
-	return code_expires_in(code) > 120;
+local function code_expired(code) --> boolean, true: has expired, false: still valid
+	return code_expires_in(code) < 0;
 end
 
 local codes = cache.new(10000, function (_, code)
 	return code_expired(code)
 end);
 
+-- Periodically clear out unredeemed codes.  Does not need to be exact, expired
+-- codes are rejected if tried. Mostly just to keep memory usage in check.
 module:add_timer(900, function()
 	local k, code = codes:tail();
 	while code and code_expired(code) do
@@ -176,7 +178,7 @@
 
 	local code = uuid.generate();
 	local ok = codes:set(params.client_id .. "#" .. code, {
-		issued = os.time();
+		expires = os.time() + 600;
 		granted_jid = granted_jid;
 		granted_scopes = granted_scopes;
 	});