Diff

mod_http_oauth2/mod_http_oauth2.lua @ 5243:d5dc8edb2695

mod_http_oauth2: Use more compact IDs UUIDs are nice but so verbose! The reduction in entropy for the nonce should be fine since the timestamp is also counts towards this, and it changes every second (modulo clock shenanigans), so the chances of someone managing to get the same client_secret by registering with the same information at the same time as another entity should be negligible.
author Kim Alvefur <zash@zash.se>
date Sat, 11 Mar 2023 22:46:27 +0100
parent 5242:4746609a6656
child 5244:fa7bd721a3f6
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:31:02 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:46:27 2023 +0100
@@ -6,7 +6,7 @@
 local usermanager = require "core.usermanager";
 local errors = require "util.error";
 local url = require "socket.url";
-local uuid = require "util.uuid";
+local id = require "util.id";
 local encodings = require "util.encodings";
 local base64 = encodings.base64;
 local random = require "util.random";
@@ -185,7 +185,7 @@
 	local request_username, request_host = jid.split(granted_jid);
 	local granted_scopes = filter_scopes(request_username, request_host, params.scope);
 
-	local code = uuid.generate();
+	local code = id.medium();
 	local ok = codes:set(params.client_id .. "#" .. code, {
 		expires = os.time() + 600;
 		granted_jid = granted_jid;
@@ -624,8 +624,9 @@
 		end
 	end
 
-	-- Ensure each signed client_id JWT is unique
-	client_metadata.nonce = uuid.generate();
+	-- Ensure each signed client_id JWT is unique, short ID and issued at
+	-- timestamp should be sufficient to rule out brute force attacks
+	client_metadata.nonce = id.short();
 
 	-- Do we want to keep everything?
 	local client_id = jwt_sign(client_metadata);