Mercurial Mercurial > prosody > prosody / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_tokenauth: Invalidate tokens issued before most recent password change
authorMatthew Wild <mwild1@gmail.com>
Thu, 06 Oct 2022 15:59:07 +0100
changeset 12746 126aefd2c4c6
parent 12745 7b3deafb9162
child 12747 19113f232423
mod_tokenauth: Invalidate tokens issued before most recent password change This is a security improvement, to ensure that sessions authenticated using a token (note: not currently possible in stock Prosody) are invalidated just like password-authenticated sessions are.
plugins/mod_tokenauth.lua file | annotate | diff | comparison | revisions 
--- a/plugins/mod_tokenauth.lua	Thu Oct 06 11:12:57 2022 +0100
+++ b/plugins/mod_tokenauth.lua	Thu Oct 06 15:59:07 2022 +0100
@@ -68,6 +68,12 @@
 		return nil, "not-authorized";
 	end
 
+	local account_info = usermanager.get_account_info(token_user, module.host);
+	local password_updated_at = account_info and account_info.password_updated;
+	if password_updated_at and password_updated_at > token_info.created then
+		return nil, "not-authorized";
+	end
+
 	return token_info
 end
prosody