mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 21:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_tokenauth: Invalidate tokens issued before most recent password change

Browse source 
This is a security improvement, to ensure that sessions authenticated using a
token (note: not currently possible in stock Prosody) are invalidated just
like password-authenticated sessions are.
This commit is contained in:
Matthew Wild 2022-10-06 15:59:07 +01:00
parent bfa6d5634a
commit 36afd999b1
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
plugins/mod_tokenauth.lua
View file

@ -68,6 +68,12 @@ local function _get_parsed_token_info(token_id, token_user, token_host)
return nil, "not-authorized";
end
local account_info = usermanager.get_account_info(token_user, module.host);
local password_updated_at = account_info and account_info.password_updated;
if password_updated_at and password_updated_at > token_info.created then
return nil, "not-authorized";
end
return token_info
end