# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1683882698 -7200
# Node ID 6705f2a097021c77dc6a18002c217560c741b02d
# Parent  d2594bbf7c365f9960977796c573bcdd4fa8eef4
mod_http_oauth2: Reference grant by id instead of value

Fixes that the grant got mutated on use of refresh token, notably it
would gain 'id' and 'jid' properties set there by mod_tokenauth.
Previously also the secret token that we should not be remembering.

diff -r d2594bbf7c36 -r 6705f2a09702 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu May 11 21:43:23 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Fri May 12 11:11:38 2023 +0200
@@ -216,12 +216,9 @@
 	else
 		-- Grant exists, reuse existing refresh token
 		refresh_token = refresh_token_info.token;
-		refresh_token_info.token = nil; -- Prevent persistence of *secret* token
-
-		refresh_token_info.grant = nil; -- Prevent reference loop
 	end
 
-	local access_token, access_token_info = tokens.create_token(token_jid, grant, role, default_access_ttl, "oauth2");
+	local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2");
 
 	local expires_at = access_token_info.expires;
 	return {