Changeset

5550:4fda06be6b08

mod_http_oauth2: Make note about handling repeated RFC 6749 states > If an authorization code is used more than once, the authorization > server MUST deny the request and SHOULD revoke (when possible) all > tokens previously issued based on that authorization code. We should follow the SHOULD. The MUST is already covered by removing the code state from the cache.
author Kim Alvefur <zash@zash.se>
date Fri, 16 Jun 2023 00:10:46 +0200
parents 5549:01a0b67a9afd
children 5551:8bfcedd93a72
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 1 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri Jun 16 00:06:53 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Fri Jun 16 00:10:46 2023 +0200
@@ -463,6 +463,7 @@
 	if err then error(err); end
 	-- MUST NOT use the authorization code more than once, so remove it to
 	-- prevent a second attempted use
+	-- TODO if a second attempt *is* made, revoke any tokens issued
 	codes:set(params.client_id .. "#" .. params.code, nil);
 	if not code or type(code) ~= "table" or code_expired(code) then
 		module:log("debug", "authorization_code invalid or expired: %q", code);