# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1680003785 -3600
# Node ID 0566a71a7076b8f8c7535b2357d8a6588bce2f9d
# Parent  4ed65a6c2a6aeae8c932694d01d61548ddaebeb7
mod_sasl2_fast: Invalidate tokens issued prior to last password change

diff -r 4ed65a6c2a6a -r 0566a71a7076 mod_sasl2_fast/mod_sasl2_fast.lua
--- a/mod_sasl2_fast/mod_sasl2_fast.lua	Mon Mar 27 23:19:09 2023 +0200
+++ b/mod_sasl2_fast/mod_sasl2_fast.lua	Tue Mar 28 12:43:05 2023 +0100
@@ -1,3 +1,5 @@
+local usermanager = require "core.usermanager";
+
 local sasl = require "util.sasl";
 local dt = require "util.datetime";
 local id = require "util.id";
@@ -38,6 +40,8 @@
 
 local function new_token_tester(hmac_f)
 	return function (mechanism, username, client_id, token_hash, cb_data, invalidate)
+		local account_info = usermanager.get_account_info(username, module.host);
+		local last_password_change = account_info and account_info.password_updated;
 		local tried_current_token = false;
 		local key = hash.sha256(client_id, true).."-new";
 		local token;
@@ -52,6 +56,12 @@
 						log("debug", "Token found, but it has expired (%ds ago). Cleaning up...", current_time - token.expires_at);
 						token_store:set(username, key, nil);
 						return nil, "credentials-expired";
+					elseif last_password_change and token.issued_at < last_password_change then
+						log("debug", "Token found, but issued prior to password change (%ds ago). Cleaning up...",
+							current_time - last_password_change
+						);
+						token_store:set(username, key, nil);
+						return nil, "credentials-expired";
 					end
 					if not tried_current_token and not invalidate then
 						-- The new token is becoming the current token