Software /
code /
prosody-modules
Diff
mod_sasl2_fast/mod_sasl2_fast.lua @ 5282:0566a71a7076
mod_sasl2_fast: Invalidate tokens issued prior to last password change
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Tue, 28 Mar 2023 12:43:05 +0100 |
parent | 5137:471cbb583a1d |
child | 5285:8e1f1eb00b58 |
line wrap: on
line diff
--- a/mod_sasl2_fast/mod_sasl2_fast.lua Mon Mar 27 23:19:09 2023 +0200 +++ b/mod_sasl2_fast/mod_sasl2_fast.lua Tue Mar 28 12:43:05 2023 +0100 @@ -1,3 +1,5 @@ +local usermanager = require "core.usermanager"; + local sasl = require "util.sasl"; local dt = require "util.datetime"; local id = require "util.id"; @@ -38,6 +40,8 @@ local function new_token_tester(hmac_f) return function (mechanism, username, client_id, token_hash, cb_data, invalidate) + local account_info = usermanager.get_account_info(username, module.host); + local last_password_change = account_info and account_info.password_updated; local tried_current_token = false; local key = hash.sha256(client_id, true).."-new"; local token; @@ -52,6 +56,12 @@ log("debug", "Token found, but it has expired (%ds ago). Cleaning up...", current_time - token.expires_at); token_store:set(username, key, nil); return nil, "credentials-expired"; + elseif last_password_change and token.issued_at < last_password_change then + log("debug", "Token found, but issued prior to password change (%ds ago). Cleaning up...", + current_time - last_password_change + ); + token_store:set(username, key, nil); + return nil, "credentials-expired"; end if not tried_current_token and not invalidate then -- The new token is becoming the current token