mod_http_oauth2: Use more compact IDs
UUIDs are nice but so verbose!
The reduction in entropy for the nonce should be fine since the
timestamp is also counts towards this, and it changes every second
(modulo clock shenanigans), so the chances of someone managing to get
the same client_secret by registering with the same information at the
same time as another entity should be negligible.
--- a/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:31:02 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua Sat Mar 11 22:46:27 2023 +0100
@@ -6,7 +6,7 @@
local usermanager = require "core.usermanager";
local errors = require "util.error";
local url = require "socket.url";
-local uuid = require "util.uuid";
+local id = require "util.id";
local encodings = require "util.encodings";
local base64 = encodings.base64;
local random = require "util.random";
@@ -185,7 +185,7 @@
local request_username, request_host = jid.split(granted_jid);
local granted_scopes = filter_scopes(request_username, request_host, params.scope);
- local code = uuid.generate();
+ local code = id.medium();
local ok = codes:set(params.client_id .. "#" .. code, {
expires = os.time() + 600;
granted_jid = granted_jid;
@@ -624,8 +624,9 @@
end
end
- -- Ensure each signed client_id JWT is unique
- client_metadata.nonce = uuid.generate();
+ -- Ensure each signed client_id JWT is unique, short ID and issued at
+ -- timestamp should be sufficient to rule out brute force attacks
+ client_metadata.nonce = id.short();
-- Do we want to keep everything?
local client_id = jwt_sign(client_metadata);