# HG changeset patch # User Kim Alvefur # Date 1678571187 -3600 # Node ID d5dc8edb26959d3d0e8fdda2d36315f24bbf301f # Parent 4746609a66564e3d1abddf3db485faae47c0c0e0 mod_http_oauth2: Use more compact IDs UUIDs are nice but so verbose! The reduction in entropy for the nonce should be fine since the timestamp is also counts towards this, and it changes every second (modulo clock shenanigans), so the chances of someone managing to get the same client_secret by registering with the same information at the same time as another entity should be negligible. diff -r 4746609a6656 -r d5dc8edb2695 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:31:02 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:46:27 2023 +0100 @@ -6,7 +6,7 @@ local usermanager = require "core.usermanager"; local errors = require "util.error"; local url = require "socket.url"; -local uuid = require "util.uuid"; +local id = require "util.id"; local encodings = require "util.encodings"; local base64 = encodings.base64; local random = require "util.random"; @@ -185,7 +185,7 @@ local request_username, request_host = jid.split(granted_jid); local granted_scopes = filter_scopes(request_username, request_host, params.scope); - local code = uuid.generate(); + local code = id.medium(); local ok = codes:set(params.client_id .. "#" .. code, { expires = os.time() + 600; granted_jid = granted_jid; @@ -624,8 +624,9 @@ end end - -- Ensure each signed client_id JWT is unique - client_metadata.nonce = uuid.generate(); + -- Ensure each signed client_id JWT is unique, short ID and issued at + -- timestamp should be sufficient to rule out brute force attacks + client_metadata.nonce = id.short(); -- Do we want to keep everything? local client_id = jwt_sign(client_metadata);