Software /
code /
prosody-modules
Changeset
4271:9623b99bb8d2
mod_http_oauth2: Keep authorization codes in memory instead of storage
Seems excessive to have them in persistent storage for such a short
time. Prevents them from leaking in case they never get cashed out.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 22 Nov 2020 18:49:31 +0100 |
parents | 4270:243f7b0dbf35 |
children | 4272:91b951fb3018 |
files | mod_http_oauth2/mod_http_oauth2.lua |
diffstat | 1 files changed, 7 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Sun Nov 22 18:46:25 2020 +0100 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Nov 22 18:49:31 2020 +0100 @@ -1,4 +1,5 @@ local hashes = require "util.hashes"; +local cache = require "util.cache"; local http = require "util.http"; local jid = require "util.jid"; local json = require "util.json"; @@ -12,12 +13,15 @@ local tokens = module:depends("tokenauth"); local clients = module:open_store("oauth2_clients", "map"); -local codes = module:open_store("oauth2_codes", "map"); local function code_expired(code) return os.difftime(os.time(), code.issued) > 120; end +local codes = cache.new(10000, function (_, code) + return code_expired(code) +end); + local function oauth_error(err_name, err_desc) return errors.new({ type = "modify"; @@ -76,7 +80,7 @@ end local code = uuid.generate(); - assert(codes:set(client_owner, client_id .. "#" .. code, {issued = os.time(); granted_jid = granted_jid})); + assert(codes:set(params.client_id .. "#" .. code, {issued = os.time(); granted_jid = granted_jid})); local redirect = url.parse(params.redirect_uri); local query = http.formdecode(redirect.query or ""); @@ -120,7 +124,7 @@ module:log("debug", "client_secret mismatch"); return oauth_error("invalid_client", "incorrect credentials"); end - local code, err = codes:get(client_owner, client_id .. "#" .. params.code); + local code, err = codes:get(params.client_id .. "#" .. params.code); if err then error(err); end if not code or type(code) ~= "table" or code_expired(code) then module:log("debug", "authorization_code invalid or expired: %q", code);