diff options
| author | Matthew Wild <mwild1@gmail.com> | 2022-10-06 15:59:07 +0100 |
|---|---|---|
| committer | Matthew Wild <mwild1@gmail.com> | 2022-10-06 15:59:07 +0100 |
| commit | 36afd999b1042b997ae59c81dce755fb01ee2b11 (patch) | |
| tree | c64d1b8784a49b0d7f95a27f08be7f0d41797561 /plugins | |
| parent | bfa6d5634afbed156537de9eb620964b24111ff2 (diff) | |
| download | prosody-36afd999b1042b997ae59c81dce755fb01ee2b11.tar.gz prosody-36afd999b1042b997ae59c81dce755fb01ee2b11.zip | |
mod_tokenauth: Invalidate tokens issued before most recent password change
This is a security improvement, to ensure that sessions authenticated using a
token (note: not currently possible in stock Prosody) are invalidated just
like password-authenticated sessions are.
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/mod_tokenauth.lua | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua index 85602747..450e2f0a 100644 --- a/plugins/mod_tokenauth.lua +++ b/plugins/mod_tokenauth.lua @@ -68,6 +68,12 @@ local function _get_parsed_token_info(token_id, token_user, token_host) return nil, "not-authorized"; end + local account_info = usermanager.get_account_info(token_user, module.host); + local password_updated_at = account_info and account_info.password_updated; + if password_updated_at and password_updated_at > token_info.created then + return nil, "not-authorized"; + end + return token_info end |