# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1606067185 -3600
# Node ID 243f7b0dbf35f39111e43b496b258e40cb753fcc
# Parent  143515d0b212d6cd8d8b3b133798128420244542
mod_http_oauth2: Reduce authorization code validity time to 2 minutes

RFC 6749 states
> A maximum authorization code lifetime of 10 minutes is RECOMMENDED.

So 15 minutes was way too long. I was thinking 5 minutes at first but
since this should generally be instant, I settled on 2 minutes as a
large guesstimate on how slow it might be on slow links.

diff -r 143515d0b212 -r 243f7b0dbf35 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sun Nov 22 18:39:55 2020 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun Nov 22 18:46:25 2020 +0100
@@ -15,7 +15,7 @@
 local codes = module:open_store("oauth2_codes", "map");
 
 local function code_expired(code)
-	return os.difftime(os.time(), code.issued) > 900;
+	return os.difftime(os.time(), code.issued) > 120;
 end
 
 local function oauth_error(err_name, err_desc)