prosody
126aefd2c4c6
plugins/mod_tokenauth.lua
Software / code / prosody
Comparison
plugins/mod_tokenauth.lua @ 12742:126aefd2c4c6
mod_tokenauth: Invalidate tokens issued before most recent password change
This is a security improvement, to ensure that sessions authenticated using a
token (note: not currently possible in stock Prosody) are invalidated just
like password-authenticated sessions are.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 06 Oct 2022 15:59:07 +0100 |
| parent | 12662:07424992d7fc |
| child | 12743:19113f232423 |
comparison
equal
deleted
inserted
replaced
| 12741:7b3deafb9162 | 12742:126aefd2c4c6 |
|---|---|
| 66 | 66 |
| 67 if token_info.expires and token_info.expires < os.time() then | 67 if token_info.expires and token_info.expires < os.time() then |
| 68 return nil, "not-authorized"; | 68 return nil, "not-authorized"; |
| 69 end | 69 end |
| 70 | 70 |
| 71 local account_info = usermanager.get_account_info(token_user, module.host); | |
| 72 local password_updated_at = account_info and account_info.password_updated; | |
| 73 if password_updated_at and password_updated_at > token_info.created then | |
| 74 return nil, "not-authorized"; | |
| 75 end | |
| 76 | |
| 71 return token_info | 77 return token_info |
| 72 end | 78 end |
| 73 | 79 |
| 74 function get_token_info(token) | 80 function get_token_info(token) |
| 75 local token_id, token_user, token_host = parse_token(token); | 81 local token_id, token_user, token_host = parse_token(token); |
