Changeset

4271:9623b99bb8d2

mod_http_oauth2: Keep authorization codes in memory instead of storage Seems excessive to have them in persistent storage for such a short time. Prevents them from leaking in case they never get cashed out.
author Kim Alvefur <zash@zash.se>
date Sun, 22 Nov 2020 18:49:31 +0100
parents 4270:243f7b0dbf35
children 4272:91b951fb3018
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 7 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sun Nov 22 18:46:25 2020 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sun Nov 22 18:49:31 2020 +0100
@@ -1,4 +1,5 @@
 local hashes = require "util.hashes";
+local cache = require "util.cache";
 local http = require "util.http";
 local jid = require "util.jid";
 local json = require "util.json";
@@ -12,12 +13,15 @@
 local tokens = module:depends("tokenauth");
 
 local clients = module:open_store("oauth2_clients", "map");
-local codes = module:open_store("oauth2_codes", "map");
 
 local function code_expired(code)
 	return os.difftime(os.time(), code.issued) > 120;
 end
 
+local codes = cache.new(10000, function (_, code)
+	return code_expired(code)
+end);
+
 local function oauth_error(err_name, err_desc)
 	return errors.new({
 		type = "modify";
@@ -76,7 +80,7 @@
 	end
 
 	local code = uuid.generate();
-	assert(codes:set(client_owner, client_id .. "#" .. code, {issued = os.time(); granted_jid = granted_jid}));
+	assert(codes:set(params.client_id .. "#" .. code, {issued = os.time(); granted_jid = granted_jid}));
 
 	local redirect = url.parse(params.redirect_uri);
 	local query = http.formdecode(redirect.query or "");
@@ -120,7 +124,7 @@
 		module:log("debug", "client_secret mismatch");
 		return oauth_error("invalid_client", "incorrect credentials");
 	end
-	local code, err = codes:get(client_owner, client_id .. "#" .. params.code);
+	local code, err = codes:get(params.client_id .. "#" .. params.code);
 	if err then error(err); end
 	if not code or type(code) ~= "table" or code_expired(code) then
 		module:log("debug", "authorization_code invalid or expired: %q", code);