Mercurial > prosody-modules
changeset 5214:d5492bc861f6
mod_http_oauth2: Remove authorization codes after use
RFC 6749 section 4.1.2 says:
> The client MUST NOT use the authorization code more than once.
Thus we clear it from the cache after use.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Mon, 06 Mar 2023 16:53:27 +0100 |
parents | dc0f502c12f1 |
children | fd6cb4365438 |
files | mod_http_oauth2/mod_http_oauth2.lua |
diffstat | 1 files changed, 3 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Mon Mar 06 16:49:43 2023 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Mon Mar 06 16:53:27 2023 +0100 @@ -265,6 +265,9 @@ end local code, err = codes:get(params.client_id .. "#" .. params.code); if err then error(err); end + -- MUST NOT use the authorization code more than once, so remove it to + -- prevent a second attempted use + codes:set(params.client_id .. "#" .. params.code, nil); if not code or type(code) ~= "table" or code_expired(code) then module:log("debug", "authorization_code invalid or expired: %q", code); return oauth_error("invalid_client", "incorrect credentials");