prosody-modules: comparison mod_http_oauth2/mod_http

equal deleted inserted replaced

-:4746609a6656
+:d5dc8edb2695
 local jid = require "util.jid";
 local json = require "util.json";
 local usermanager = require "core.usermanager";
 local errors = require "util.error";
 local url = require "socket.url";
-local uuid = require "util.uuid";
+local id = require "util.id";
 local encodings = require "util.encodings";
 local base64 = encodings.base64;
 local random = require "util.random";
 local schema = require "util.jsonschema";
 local set = require "util.set";
 function response_type_handlers.code(client, params, granted_jid)
 	local request_username, request_host = jid.split(granted_jid);
 	local granted_scopes = filter_scopes(request_username, request_host, params.scope);
-	local code = uuid.generate();
+	local code = id.medium();
 	local ok = codes:set(params.client_id .. "#" .. code, {
 		expires = os.time() + 600;
 		granted_jid = granted_jid;
 		granted_scopes = granted_scopes;
 	});
 				return oauth_error("invalid_request", "Informative URI must match redirect URIs");
 			end
 		end
 	end
-	-- Ensure each signed client_id JWT is unique
+	-- Ensure each signed client_id JWT is unique, short ID and issued at
-	client_metadata.nonce = uuid.generate();
+	-- timestamp should be sufficient to rule out brute force attacks
+	client_metadata.nonce = id.short();
 	-- Do we want to keep everything?
 	local client_id = jwt_sign(client_metadata);
 	local client_secret = make_secret(client_id);