# HG changeset patch # User Kim Alvefur # Date 1606067371 -3600 # Node ID 9623b99bb8d25362333d959e9ee052b08c1d9fa9 # Parent 243f7b0dbf35f39111e43b496b258e40cb753fcc mod_http_oauth2: Keep authorization codes in memory instead of storage Seems excessive to have them in persistent storage for such a short time. Prevents them from leaking in case they never get cashed out. diff -r 243f7b0dbf35 -r 9623b99bb8d2 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sun Nov 22 18:46:25 2020 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Nov 22 18:49:31 2020 +0100 @@ -1,4 +1,5 @@ local hashes = require "util.hashes"; +local cache = require "util.cache"; local http = require "util.http"; local jid = require "util.jid"; local json = require "util.json"; @@ -12,12 +13,15 @@ local tokens = module:depends("tokenauth"); local clients = module:open_store("oauth2_clients", "map"); -local codes = module:open_store("oauth2_codes", "map"); local function code_expired(code) return os.difftime(os.time(), code.issued) > 120; end +local codes = cache.new(10000, function (_, code) + return code_expired(code) +end); + local function oauth_error(err_name, err_desc) return errors.new({ type = "modify"; @@ -76,7 +80,7 @@ end local code = uuid.generate(); - assert(codes:set(client_owner, client_id .. "#" .. code, {issued = os.time(); granted_jid = granted_jid})); + assert(codes:set(params.client_id .. "#" .. code, {issued = os.time(); granted_jid = granted_jid})); local redirect = url.parse(params.redirect_uri); local query = http.formdecode(redirect.query or ""); @@ -120,7 +124,7 @@ module:log("debug", "client_secret mismatch"); return oauth_error("invalid_client", "incorrect credentials"); end - local code, err = codes:get(client_owner, client_id .. "#" .. params.code); + local code, err = codes:get(params.client_id .. "#" .. params.code); if err then error(err); end if not code or type(code) ~= "table" or code_expired(code) then module:log("debug", "authorization_code invalid or expired: %q", code);