# HG changeset patch
# User Matthew Wild <mwild1@gmail.com>
# Date 1665068347 -3600
# Node ID 126aefd2c4c631ecc93f3fccdd60ac9306eeb6f3
# Parent  7b3deafb91627fac21e68bb38f68a7bd4291ee42
mod_tokenauth: Invalidate tokens issued before most recent password change

This is a security improvement, to ensure that sessions authenticated using a
token (note: not currently possible in stock Prosody) are invalidated just
like password-authenticated sessions are.

diff -r 7b3deafb9162 -r 126aefd2c4c6 plugins/mod_tokenauth.lua
--- a/plugins/mod_tokenauth.lua	Thu Oct 06 11:12:57 2022 +0100
+++ b/plugins/mod_tokenauth.lua	Thu Oct 06 15:59:07 2022 +0100
@@ -68,6 +68,12 @@
 		return nil, "not-authorized";
 	end
 
+	local account_info = usermanager.get_account_info(token_user, module.host);
+	local password_updated_at = account_info and account_info.password_updated;
+	if password_updated_at and password_updated_at > token_info.created then
+		return nil, "not-authorized";
+	end
+
 	return token_info
 end