mod_sasl2_fast: Fix harmless off-by-one error (invalidates existing tokens!) Problem: This was causing the key to become "<token>--cur" instead of the expected "<token>-cur". As the same key was used by the code to both set and get, it still worked. Rationale for change: Although it worked, it's unintended, inconsistent and messy. It increases the chances of future bugs due to the unexpected format. Side-effects of change: Existing '--cur' entries will not be checked after this change, and therefore existing FAST clients will fail to authenticate until they attempt password auth and obtain a new FAST token. Existing '--cur' entries in storage will not be cleaned up by this commit, but this is considered a minor issue, and okay for the relatively few FAST deployments.

--- a/mod_sasl2_fast/mod_sasl2_fast.lua	Tue Mar 28 21:04:23 2023 +0200
+++ b/mod_sasl2_fast/mod_sasl2_fast.lua	Wed Mar 29 16:12:15 2023 +0100
@@ -67,7 +67,7 @@
 						-- The new token is becoming the current token
 						token_store:set_keys(username, {
 							[key] = token_store.remove;
-							[key:sub(1, -4).."-cur"] = token;
+							[key:sub(1, -5).."-cur"] = token;
 						});
 					end
 					local rotation_needed;
@@ -84,7 +84,7 @@
 				log("debug", "Trying next token...");
 				-- Try again with the current token instead
 				tried_current_token = true;
-				key = key:sub(1, -4).."-cur";
+				key = key:sub(1, -5).."-cur";
 			else
 				log("debug", "No matching %s token found for %s/%s", mechanism, username, key);
 				return nil;