# HG changeset patch # User Kim Alvefur # Date 1678117783 -3600 # Node ID dc0f502c12f107f1b6a2140ed04f977cff69a6fe # Parent 3235b8bd1e55134f37c10ea6c8d6fd8caa7f0474 mod_http_oauth2: Fix authorization code logic I have no idea what it did before or if it even worked. RFC 6749 section 4.1.2 says: > A maximum authorization code lifetime of 10 minutes is RECOMMENDED. So this should prevent use of codes older than 10 minutes and remove them from the cache some time after they expire. diff -r 3235b8bd1e55 -r dc0f502c12f1 mod_http_oauth2/mod_http_oauth2.lua --- a/mod_http_oauth2/mod_http_oauth2.lua Mon Mar 06 15:55:11 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Mar 06 16:49:43 2023 +0100 @@ -90,18 +90,20 @@ return usermanager.get_user_role(username, module.host).name; end -local function code_expires_in(code) - return os.difftime(os.time(), code.issued); +local function code_expires_in(code) --> number, seconds until code expires + return os.difftime(code.expires, os.time()); end -local function code_expired(code) - return code_expires_in(code) > 120; +local function code_expired(code) --> boolean, true: has expired, false: still valid + return code_expires_in(code) < 0; end local codes = cache.new(10000, function (_, code) return code_expired(code) end); +-- Periodically clear out unredeemed codes. Does not need to be exact, expired +-- codes are rejected if tried. Mostly just to keep memory usage in check. module:add_timer(900, function() local k, code = codes:tail(); while code and code_expired(code) do @@ -176,7 +178,7 @@ local code = uuid.generate(); local ok = codes:set(params.client_id .. "#" .. code, { - issued = os.time(); + expires = os.time() + 600; granted_jid = granted_jid; granted_scopes = granted_scopes; });