mod_tokenauth: Invalidate tokens issued before most recent password change
This is a security improvement, to ensure that sessions authenticated using a
token (note: not currently possible in stock Prosody) are invalidated just
like password-authenticated sessions are.
--- a/plugins/mod_tokenauth.lua Thu Oct 06 11:12:57 2022 +0100
+++ b/plugins/mod_tokenauth.lua Thu Oct 06 15:59:07 2022 +0100
@@ -68,6 +68,12 @@
return nil, "not-authorized";
end
+ local account_info = usermanager.get_account_info(token_user, module.host);
+ local password_updated_at = account_info and account_info.password_updated;
+ if password_updated_at and password_updated_at > token_info.created then
+ return nil, "not-authorized";
+ end
+
return token_info
end