Mercurial Mercurial > prosody > prosody-modules / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Remove authorization codes after use
authorKim Alvefur <zash@zash.se>
Mon, 06 Mar 2023 16:53:27 +0100
changeset 5218 d5492bc861f6
parent 5217 dc0f502c12f1
child 5219 fd6cb4365438
mod_http_oauth2: Remove authorization codes after use RFC 6749 section 4.1.2 says: > The client MUST NOT use the authorization code more than once. Thus we clear it from the cache after use.
mod_http_oauth2/mod_http_oauth2.lua file | annotate | diff | comparison | revisions 
--- a/mod_http_oauth2/mod_http_oauth2.lua	Mon Mar 06 16:49:43 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Mon Mar 06 16:53:27 2023 +0100
@@ -265,6 +265,9 @@
 	end
 	local code, err = codes:get(params.client_id .. "#" .. params.code);
 	if err then error(err); end
+	-- MUST NOT use the authorization code more than once, so remove it to
+	-- prevent a second attempted use
+	codes:set(params.client_id .. "#" .. params.code, nil);
 	if not code or type(code) ~= "table" or code_expired(code) then
 		module:log("debug", "authorization_code invalid or expired: %q", code);
 		return oauth_error("invalid_client", "incorrect credentials");
prosody-modules