changeset 4270:243f7b0dbf35

mod_http_oauth2: Reduce authorization code validity time to 2 minutes RFC 6749 states > A maximum authorization code lifetime of 10 minutes is RECOMMENDED. So 15 minutes was way too long. I was thinking 5 minutes at first but since this should generally be instant, I settled on 2 minutes as a large guesstimate on how slow it might be on slow links.
author Kim Alvefur <zash@zash.se>
date Sun, 22 Nov 2020 18:46:25 +0100
parents 143515d0b212
children 9623b99bb8d2
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sun Nov 22 18:39:55 2020 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun Nov 22 18:46:25 2020 +0100
@@ -15,7 +15,7 @@
 local codes = module:open_store("oauth2_codes", "map");
 
 local function code_expired(code)
-	return os.difftime(os.time(), code.issued) > 900;
+	return os.difftime(os.time(), code.issued) > 120;
 end
 
 local function oauth_error(err_name, err_desc)