prosody
a1c927323f06
plugins/mod_tokenauth.lua
Software / code / prosody
Comparison
plugins/mod_tokenauth.lua @ 13273:a1c927323f06
mod_tokenauth: Delete grants without tokens after period
Generally it is expected that a grant would have at least one token as
long as the grant is in active use.
Refresh tokens issued by mod_http_oauth2 have a lifetime of one week by
default, so the idea here is that if that refresh token expired and
another week goes by without the grant being used, then the whole grant
can be removed.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 16 Oct 2023 23:51:52 +0200 |
| parent | 13272:8535a6105919 |
| child | 13274:ddfe07041fc5 |
comparison
equal
deleted
inserted
replaced
| 13272:8535a6105919 | 13273:a1c927323f06 |
|---|---|
| 7 local generate_identifier = require "prosody.util.id".short; | 7 local generate_identifier = require "prosody.util.id".short; |
| 8 | 8 |
| 9 local token_store = module:open_store("auth_tokens", "keyval+"); | 9 local token_store = module:open_store("auth_tokens", "keyval+"); |
| 10 | 10 |
| 11 local access_time_granularity = module:get_option_period("token_auth_access_time_granularity", 60); | 11 local access_time_granularity = module:get_option_period("token_auth_access_time_granularity", 60); |
| 12 local empty_grant_lifetime = module:get_option_period("tokenless_grant_ttl", "2w"); | |
| 12 | 13 |
| 13 local function select_role(username, host, role_name) | 14 local function select_role(username, host, role_name) |
| 14 if not role_name then return end | 15 if not role_name then return end |
| 15 local role = usermanager.get_role_by_name(role_name, host); | 16 local role = usermanager.get_role_by_name(role_name, host); |
| 16 if not role then return end | 17 if not role then return end |
| 169 if token_info.expires and token_info.expires < now then | 170 if token_info.expires and token_info.expires < now then |
| 170 module:log("debug", "Token has expired, cleaning it up"); | 171 module:log("debug", "Token has expired, cleaning it up"); |
| 171 grant.tokens[secret_hash] = nil; | 172 grant.tokens[secret_hash] = nil; |
| 172 end | 173 end |
| 173 end | 174 end |
| 175 | |
| 176 if not grant.expires and next(grant.tokens) == nil and grant.accessed + empty_grant_lifetime < now then | |
| 177 module:log("debug", "Token grant has no tokens, discarding"); | |
| 178 token_store:set_key(username, grant.id, nil); | |
| 179 return nil, "expired"; | |
| 180 end | |
| 181 | |
| 174 return grant; | 182 return grant; |
| 175 end | 183 end |
| 176 | 184 |
| 177 local function _get_validated_token_info(token_id, token_user, token_host, token_secret) | 185 local function _get_validated_token_info(token_id, token_user, token_host, token_secret) |
| 178 if token_host ~= module.host then | 186 if token_host ~= module.host then |
