Changeset

5451:6705f2a09702

mod_http_oauth2: Reference grant by id instead of value Fixes that the grant got mutated on use of refresh token, notably it would gain 'id' and 'jid' properties set there by mod_tokenauth. Previously also the secret token that we should not be remembering.
author Kim Alvefur <zash@zash.se>
date Fri, 12 May 2023 11:11:38 +0200
parents 5450:d2594bbf7c36
children 5452:b071d8ee6555
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 1 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu May 11 21:43:23 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Fri May 12 11:11:38 2023 +0200
@@ -216,12 +216,9 @@
 	else
 		-- Grant exists, reuse existing refresh token
 		refresh_token = refresh_token_info.token;
-		refresh_token_info.token = nil; -- Prevent persistence of *secret* token
-
-		refresh_token_info.grant = nil; -- Prevent reference loop
 	end
 
-	local access_token, access_token_info = tokens.create_token(token_jid, grant, role, default_access_ttl, "oauth2");
+	local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2");
 
 	local expires_at = access_token_info.expires;
 	return {