Software /
code /
prosody
Diff
plugins/mod_tokenauth.lua @ 13009:a70ff0c524c9
mod_tokenauth: Move grant validation to a reusable function
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Wed, 29 Mar 2023 17:14:45 +0100 |
parent | 13006:d943733c6d01 |
child | 13010:3e454af3615d |
line wrap: on
line diff
--- a/plugins/mod_tokenauth.lua Wed Mar 29 13:01:53 2023 +0100 +++ b/plugins/mod_tokenauth.lua Wed Mar 29 17:14:45 2023 +0100 @@ -139,6 +139,28 @@ return updated; end +local function _get_validated_grant_info(username, grant) + if type(grant) == "string" then + grant = token_store:get_key(username, grant); + end + if not grant or not grant.created then return nil; end + + -- Invalidate grants from before last password change + local account_info = usermanager.get_account_info(username, module.host); + local password_updated_at = account_info and account_info.password_updated; + if password_updated_at and grant.created < password_updated_at then + module:log("debug", "Token grant issued before last password change, invalidating it now"); + token_store:set_key(username, grant.id, nil); + return nil, "not-authorized"; + elseif grant.expires and grant.expires < os.time() then + module:log("debug", "Token grant expired, cleaning up"); + token_store:set_key(username, grant.id, nil); + return nil, "expired"; + end + + return grant; +end + local function _get_validated_token_info(token_id, token_user, token_host, token_secret) if token_host ~= module.host then return nil, "invalid-host"; @@ -171,12 +193,9 @@ return nil, "not-authorized"; end - -- Invalidate grants from before last password change - local account_info = usermanager.get_account_info(token_user, module.host); - local password_updated_at = account_info and account_info.password_updated; - if password_updated_at and grant.created < password_updated_at then - module:log("debug", "Token grant issued before last password change, invalidating it now"); - token_store:set_key(token_user, token_id, nil); + -- Verify grant validity (expiry, etc.) + grant = _get_validated_grant_info(token_user, grant); + if not grant then return nil, "not-authorized"; end