view mod_s2s_idle_timeout/mod_s2s_idle_timeout.lua @ 5390:f2363e6d9a64

mod_http_oauth2: Advertise the currently supported id_token signing algorithm This field is REQUIRED. The algorithm RS256 MUST be included, but isn't because we don't implement it, as that would require implementing a pile of additional cryptography and JWT stuff. Instead the id_token is signed using the client secret, which allows verification by the client, since it's a shared secret per OpenID Connect Core 1.0 ยง 10.1 under Symmetric Signatures. OpenID Connect Discovery 1.0 has a lot of REQUIRED and MUST clauses that are not supported here, but that's okay because this is served from the RFC 8414 OAuth 2.0 Authorization Server Metadata .well-known endpoint!
author Kim Alvefur <zash@zash.se>
date Sun, 30 Apr 2023 16:13:40 +0200
parents 4e235e565693
children
line wrap: on
line source

local now = os.time;

local s2smanager = require "core.s2smanager";
local timer = require "util.timer";

local s2s_sessions = setmetatable({}, { __mode = "kv" });

local idle_timeout = module:get_option("s2s_idle_timeout") or 300;
local check_interval = math.ceil(idle_timeout * 0.75);

local function install_checks(session)
	if not session.last_received_time then
		session.last_received_time = now();
		if session.direction == "incoming" then
			local _data = session.data;
			function session.data(conn, data)
				session.last_received_time = now();
				return _data(conn, data);
			end
		else
			local _sends2s = session.sends2s;
			function session.sends2s(data)
				session.last_received_time = now();
				return _sends2s(data);
			end
		end
		s2s_sessions[session] = true;
	end
end

module:hook("s2s-authenticated", function (event)
	install_checks(event.session);
end);

function check_idle_sessions(time)
	time = time or now();
	for session in pairs(s2s_sessions) do
		local last_received_time = session.last_received_time;
		if last_received_time and time - last_received_time > idle_timeout then
			module:log("debug", "Closing idle connection %s->%s",
				session.from_host or "(unknown)", session.to_host or "(unknown)");
			session:close(); -- Close-on-idle isn't an error
			s2s_sessions[session] = nil;
		end
	end
	return check_interval;
end
timer.add_task(check_interval, check_idle_sessions);

function module.save()
	return { s2s_sessions = s2s_sessions };
end

function module.restore(data)
	s2s_sessions = setmetatable(data.s2s_sessions or {}, { __mode = "kv" });
end