# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1679939472 -3600
# Node ID eb482defd9b0bc9f9dfe2096e0b852f4aebcd562
# Parent  2b858cccac8f8aee0926b769e69da590bc06275d
mod_http_oauth2: Update to use new API of Prosody mod_tokenauth @ 601d9a375b86

diff -r 2b858cccac8f -r eb482defd9b0 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri Mar 24 14:29:07 2023 +0000
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Mar 27 18:51:12 2023 +0100
@@ -165,22 +165,19 @@
 	end
 
 	local refresh_token;
-	local access_token, access_token_info
-	-- No existing refresh token, and we're issuing a time-limited access token?
-	-- Create a refresh token (unless refresh_token_info == false)
-	if refresh_token_info == false or not default_access_ttl then
-		-- Caller does not want a refresh token, or access tokens are not configured to expire
-		-- So, just create a standalone access token
-		access_token, access_token_info = tokens.create_jid_token(token_jid, token_jid, role, default_access_ttl, token_data, "oauth2");
+	local grant = refresh_token_info and refresh_token_info.grant;
+	if not grant then
+		-- No existing grant, create one
+		grant = tokens.create_grant(token_jid, token_jid, default_refresh_ttl, token_data);
+		-- Create refresh token for the grant if desired
+		refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant, nil, nil, "oauth2-refresh");
 	else
-		-- We're issuing both a refresh and an access token
-		if not refresh_token_info then
-			refresh_token, refresh_token_info = tokens.create_jid_token(token_jid, token_jid, role, default_refresh_ttl, token_data, "oauth2-refresh");
-		else
-			refresh_token = refresh_token_info.token;
-		end
-		access_token, access_token_info = tokens.create_sub_token(token_jid, refresh_token_info.id, role, default_access_ttl, token_data, "oauth2");
+		-- Grant exists, reuse existing refresh token
+		refresh_token = refresh_token_info.token;
 	end
+
+	local access_token, access_token_info = tokens.create_token(token_jid, grant, role, default_access_ttl, "oauth2");
+
 	local expires_at = access_token_info.expires;
 	return {
 		token_type = "bearer";
@@ -188,7 +185,7 @@
 		expires_in = expires_at and (expires_at - os.time()) or nil;
 		scope = scope_string;
 		id_token = id_token;
-		refresh_token = refresh_token;
+		refresh_token = refresh_token or nil;
 	};
 end
 
@@ -366,7 +363,9 @@
 	-- new_access_token() requires the actual token
 	refresh_token_info.token = params.refresh_token;
 
-	return json.encode(new_access_token(token_info.jid, token_info.role, token_info.data.oauth2_scopes, client, nil, token_info));
+	return json.encode(new_access_token(
+		refresh_token_info.jid, refresh_token_info.role, refresh_token_info.data.oauth2_scopes, client, nil, refresh_token_info
+	));
 end
 
 -- Used to issue/verify short-lived tokens for the authorization process below