--- a/mod_sasl2_fast/mod_sasl2_fast.lua Mon Mar 27 23:19:09 2023 +0200
+++ b/mod_sasl2_fast/mod_sasl2_fast.lua Tue Mar 28 12:43:05 2023 +0100
@@ -1,3 +1,5 @@
+local usermanager = require "core.usermanager";
+
local sasl = require "util.sasl";
local dt = require "util.datetime";
local id = require "util.id";
@@ -38,6 +40,8 @@
local function new_token_tester(hmac_f)
return function (mechanism, username, client_id, token_hash, cb_data, invalidate)
+ local account_info = usermanager.get_account_info(username, module.host);
+ local last_password_change = account_info and account_info.password_updated;
local tried_current_token = false;
local key = hash.sha256(client_id, true).."-new";
local token;
@@ -52,6 +56,12 @@
log("debug", "Token found, but it has expired (%ds ago). Cleaning up...", current_time - token.expires_at);
token_store:set(username, key, nil);
return nil, "credentials-expired";
+ elseif last_password_change and token.issued_at < last_password_change then
+ log("debug", "Token found, but issued prior to password change (%ds ago). Cleaning up...",
+ current_time - last_password_change
+ );
+ token_store:set(username, key, nil);
+ return nil, "credentials-expired";
end
if not tried_current_token and not invalidate then
-- The new token is becoming the current token