mod_http_oauth2: Make storage of various code more consistent
I'm not sure how any of this worked at all.
--- a/mod_http_oauth2/mod_http_oauth2.lua Fri Aug 04 01:11:01 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Aug 06 12:07:05 2023 +0200
@@ -394,17 +394,19 @@
return oauth_error("invalid_request", "PKCE required");
end
+ local prefix = "authorization_code:";
local code = id.medium();
if params.redirect_uri == device_uri then
local is_device, device_state = verify_device_token(params.state);
if is_device then
-- reconstruct the device_code
+ prefix = "device_code:";
code = b64url(hashes.hmac_sha256(verification_key, device_state.user_code));
else
return oauth_error("invalid_request");
end
end
- local ok = codes:set("authorization_code:" .. params.client_id .. "#" .. code, {
+ local ok = codes:set(prefix.. params.client_id .. "#" .. code, {
expires = os.time() + 600;
granted_jid = granted_jid;
granted_scopes = granted_scopes;
@@ -580,7 +582,7 @@
return oauth_error("invalid_client", "incorrect credentials");
end
- local code = codes:get("device_code:" .. params.device_code);
+ local code = codes:get("device_code:" .. params.client_id .. "#" .. params.device_code);
if type(code) ~= "table" or code_expired(code) then
return oauth_error("expired_token");
elseif code.error then
@@ -588,7 +590,7 @@
elseif not code.granted_jid then
return oauth_error("authorization_pending");
end
- codes:set("device_code:" .. params.device_code, nil);
+ codes:set("device_code:" .. params.client_id .. "#" .. params.device_code, nil);
return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, client, code.id_token));
end
@@ -993,9 +995,10 @@
local verification_uri = module:http_url() .. "/device";
local verification_uri_complete = verification_uri .. "?" .. http.formencode({ user_code = user_code });
- local dc_ok = codes:set("device_code:" .. params.client_id .. "#" .. device_code, { expires = os.time() + 1200 });
+ local expires = os.time() + 600;
+ local dc_ok = codes:set("device_code:" .. params.client_id .. "#" .. device_code, { expires = expires });
local uc_ok = codes:set("user_code:" .. user_code,
- { user_code = user_code; expires = os.time() + 600; client_id = params.client_id;
+ { user_code = user_code; expires = expires; client_id = params.client_id;
scope = requested_scopes:concat(" ") });
if not dc_ok or not uc_ok then
return oauth_error("temporarily_unavailable");