Changeset

5213:dc0f502c12f1

mod_http_oauth2: Fix authorization code logic I have no idea what it did before or if it even worked. RFC 6749 section 4.1.2 says: > A maximum authorization code lifetime of 10 minutes is RECOMMENDED. So this should prevent use of codes older than 10 minutes and remove them from the cache some time after they expire.
author Kim Alvefur <zash@zash.se>
date Mon, 06 Mar 2023 16:49:43 +0100
parents 5212:3235b8bd1e55
children 5214:d5492bc861f6
files mod_http_oauth2/mod_http_oauth2.lua
diffstat 1 files changed, 7 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Mar 06 15:55:11 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Mar 06 16:49:43 2023 +0100
@@ -90,18 +90,20 @@
 	return usermanager.get_user_role(username, module.host).name;
 end
 
-local function code_expires_in(code)
-	return os.difftime(os.time(), code.issued);
+local function code_expires_in(code) --> number, seconds until code expires
+	return os.difftime(code.expires, os.time());
 end
 
-local function code_expired(code)
-	return code_expires_in(code) > 120;
+local function code_expired(code) --> boolean, true: has expired, false: still valid
+	return code_expires_in(code) < 0;
 end
 
 local codes = cache.new(10000, function (_, code)
 	return code_expired(code)
 end);
 
+-- Periodically clear out unredeemed codes.  Does not need to be exact, expired
+-- codes are rejected if tried. Mostly just to keep memory usage in check.
 module:add_timer(900, function()
 	local k, code = codes:tail();
 	while code and code_expired(code) do
@@ -176,7 +178,7 @@
 
 	local code = uuid.generate();
 	local ok = codes:set(params.client_id .. "#" .. code, {
-		issued = os.time();
+		expires = os.time() + 600;
 		granted_jid = granted_jid;
 		granted_scopes = granted_scopes;
 	});