# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1681287692 -7200
# Node ID 9e5802b45b9ec5a736e9dfd1a1c4577d393aa00b
# Parent  7fcf41b541e04868a9e0dd93bbb48170580659cd
mod_tokenauth: Only check if expiry of expiring tokens

Some tokens, e.g. OAuth2 refresh tokens, might not have their lifetime
explicitly bounded here, but rather be bounded by the lifetime of
something else, like the OAuth2 client.

Open question: Would it be better to enforce a lifetime on all tokens?

diff -r 7fcf41b541e0 -r 9e5802b45b9e plugins/mod_tokenauth.lua
--- a/plugins/mod_tokenauth.lua	Mon Apr 10 14:24:39 2023 +0200
+++ b/plugins/mod_tokenauth.lua	Wed Apr 12 10:21:32 2023 +0200
@@ -186,7 +186,7 @@
 
 	-- Check expiry
 	local now = os.time();
-	if token_info.expires < now then
+	if token_info.expires and token_info.expires < now then
 		module:log("debug", "Token has expired, cleaning it up");
 		grant.tokens[secret_hash] = nil;
 		token_store:set_key(token_user, token_id, grant);