mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 21:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_tokenauth: Delete grants without tokens after period

Browse source 
Generally it is expected that a grant would have at least one token as
long as the grant is in active use.

Refresh tokens issued by mod_http_oauth2 have a lifetime of one week by
default, so the idea here is that if that refresh token expired and
another week goes by without the grant being used, then the whole grant
can be removed.
This commit is contained in:
Kim Alvefur 2023-10-16 23:51:52 +02:00
parent 9d47a1a9ef
commit 0cd9aba8e2
1 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
plugins/mod_tokenauth.lua
View file

@ -9,6 +9,7 @@ local generate_identifier = require "prosody.util.id".short;
local token_store = module:open_store("auth_tokens", "keyval+");
local access_time_granularity = module:get_option_period("token_auth_access_time_granularity", 60);
local empty_grant_lifetime = module:get_option_period("tokenless_grant_ttl", "2w");
local function select_role(username, host, role_name)
if not role_name then return end
@ -171,6 +172,13 @@ local function _get_validated_grant_info(username, grant)
grant.tokens[secret_hash] = nil;
end
end
if not grant.expires and next(grant.tokens) == nil and grant.accessed + empty_grant_lifetime < now then
module:log("debug", "Token grant has no tokens, discarding");
token_store:set_key(username, grant.id, nil);
return nil, "expired";
end
return grant;
end