Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5213:dc0f502c12f1

mod_http_oauth2: Fix authorization code logic I have no idea what it did before or if it even worked. RFC 6749 section 4.1.2 says: > A maximum authorization code lifetime of 10 minutes is RECOMMENDED. So this should prevent use of codes older than 10 minutes and remove them from the cache some time after they expire.
author Kim Alvefur <zash@zash.se>
date Mon, 06 Mar 2023 16:49:43 +0100
parent 5210:898575a0c6f3
child 5214:d5492bc861f6
comparison
equal deleted inserted replaced
5212:3235b8bd1e55 5213:dc0f502c12f1
88 end 88 end
89 89
90 return usermanager.get_user_role(username, module.host).name; 90 return usermanager.get_user_role(username, module.host).name;
91 end 91 end
92 92
93 local function code_expires_in(code) 93 local function code_expires_in(code) --> number, seconds until code expires
94 return os.difftime(os.time(), code.issued); 94 return os.difftime(code.expires, os.time());
95 end 95 end
96 96
97 local function code_expired(code) 97 local function code_expired(code) --> boolean, true: has expired, false: still valid
98 return code_expires_in(code) > 120; 98 return code_expires_in(code) < 0;
99 end 99 end
100 100
101 local codes = cache.new(10000, function (_, code) 101 local codes = cache.new(10000, function (_, code)
102 return code_expired(code) 102 return code_expired(code)
103 end); 103 end);
104 104
105 -- Periodically clear out unredeemed codes. Does not need to be exact, expired
106 -- codes are rejected if tried. Mostly just to keep memory usage in check.
105 module:add_timer(900, function() 107 module:add_timer(900, function()
106 local k, code = codes:tail(); 108 local k, code = codes:tail();
107 while code and code_expired(code) do 109 while code and code_expired(code) do
108 codes:set(k, nil); 110 codes:set(k, nil);
109 k, code = codes:tail(); 111 k, code = codes:tail();
174 local request_username, request_host = jid.split(granted_jid); 176 local request_username, request_host = jid.split(granted_jid);
175 local granted_scopes = filter_scopes(request_username, request_host, params.scope); 177 local granted_scopes = filter_scopes(request_username, request_host, params.scope);
176 178
177 local code = uuid.generate(); 179 local code = uuid.generate();
178 local ok = codes:set(params.client_id .. "#" .. code, { 180 local ok = codes:set(params.client_id .. "#" .. code, {
179 issued = os.time(); 181 expires = os.time() + 600;
180 granted_jid = granted_jid; 182 granted_jid = granted_jid;
181 granted_scopes = granted_scopes; 183 granted_scopes = granted_scopes;
182 }); 184 });
183 if not ok then 185 if not ok then
184 return {status_code = 429}; 186 return {status_code = 429};