mod_http_oauth2: Reference grant by id instead of value
Fixes that the grant got mutated on use of refresh token, notably it
would gain 'id' and 'jid' properties set there by mod_tokenauth.
Previously also the secret token that we should not be remembering.
--- a/mod_http_oauth2/mod_http_oauth2.lua Thu May 11 21:43:23 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Fri May 12 11:11:38 2023 +0200
@@ -216,12 +216,9 @@
else
-- Grant exists, reuse existing refresh token
refresh_token = refresh_token_info.token;
- refresh_token_info.token = nil; -- Prevent persistence of *secret* token
-
- refresh_token_info.grant = nil; -- Prevent reference loop
end
- local access_token, access_token_info = tokens.create_token(token_jid, grant, role, default_access_ttl, "oauth2");
+ local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2");
local expires_at = access_token_info.expires;
return {