mod_http_oauth2: Keep authorization codes in memory instead of storage
Seems excessive to have them in persistent storage for such a short
time. Prevents them from leaking in case they never get cashed out.
--- a/mod_http_oauth2/mod_http_oauth2.lua Sun Nov 22 18:46:25 2020 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Nov 22 18:49:31 2020 +0100
@@ -1,4 +1,5 @@
local hashes = require "util.hashes";
+local cache = require "util.cache";
local http = require "util.http";
local jid = require "util.jid";
local json = require "util.json";
@@ -12,12 +13,15 @@
local tokens = module:depends("tokenauth");
local clients = module:open_store("oauth2_clients", "map");
-local codes = module:open_store("oauth2_codes", "map");
local function code_expired(code)
return os.difftime(os.time(), code.issued) > 120;
end
+local codes = cache.new(10000, function (_, code)
+ return code_expired(code)
+end);
+
local function oauth_error(err_name, err_desc)
return errors.new({
type = "modify";
@@ -76,7 +80,7 @@
end
local code = uuid.generate();
- assert(codes:set(client_owner, client_id .. "#" .. code, {issued = os.time(); granted_jid = granted_jid}));
+ assert(codes:set(params.client_id .. "#" .. code, {issued = os.time(); granted_jid = granted_jid}));
local redirect = url.parse(params.redirect_uri);
local query = http.formdecode(redirect.query or "");
@@ -120,7 +124,7 @@
module:log("debug", "client_secret mismatch");
return oauth_error("invalid_client", "incorrect credentials");
end
- local code, err = codes:get(client_owner, client_id .. "#" .. params.code);
+ local code, err = codes:get(params.client_id .. "#" .. params.code);
if err then error(err); end
if not code or type(code) ~= "table" or code_expired(code) then
module:log("debug", "authorization_code invalid or expired: %q", code);