# HG changeset patch # User Kim Alvefur # Date 1686867046 -7200 # Node ID 4fda06be6b081ca62513de7b202579b34a15e686 # Parent 01a0b67a9afdf9f21e6b0bff23b0ecbd9709cf09 mod_http_oauth2: Make note about handling repeated RFC 6749 states > If an authorization code is used more than once, the authorization > server MUST deny the request and SHOULD revoke (when possible) all > tokens previously issued based on that authorization code. We should follow the SHOULD. The MUST is already covered by removing the code state from the cache. diff -r 01a0b67a9afd -r 4fda06be6b08 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Fri Jun 16 00:06:53 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Fri Jun 16 00:10:46 2023 +0200 @@ -463,6 +463,7 @@ if err then error(err); end -- MUST NOT use the authorization code more than once, so remove it to -- prevent a second attempted use + -- TODO if a second attempt *is* made, revoke any tokens issued codes:set(params.client_id .. "#" .. params.code, nil); if not code or type(code) ~= "table" or code_expired(code) then module:log("debug", "authorization_code invalid or expired: %q", code);