aboutsummaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2023-07-23 02:54:49 +0200
committerKim Alvefur <zash@zash.se>2023-07-23 02:54:49 +0200
commitd2cfe2fed7649721c6d3832da86f06f69e6cb97c (patch)
tree2c52ad63ae8b37b5bf5a74fc4d6c341e3b504386 /plugins
parenta1f053229c1da8a0137e0d895f90b07eeb02ab91 (diff)
downloadprosody-d2cfe2fed7649721c6d3832da86f06f69e6cb97c.tar.gz
prosody-d2cfe2fed7649721c6d3832da86f06f69e6cb97c.zip
mod_tokenauth: Fix revoking a single token without revoking whole grant
This appears to have been a copy-paste of the grant revocation function, or maybe the other way around. Either way, it deleted the whole grant instead of the individual token as might be expected.
Diffstat (limited to 'plugins')
-rw-r--r--plugins/mod_tokenauth.lua22
1 files changed, 18 insertions, 4 deletions
diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua
index 89b2a81e..cf34b48c 100644
--- a/plugins/mod_tokenauth.lua
+++ b/plugins/mod_tokenauth.lua
@@ -265,19 +265,33 @@ function get_token_session(token, resource)
end
function revoke_token(token)
- local token_id, token_user, token_host = parse_token(token);
- if not token_id then
+ local grant_id, token_user, token_host, token_secret = parse_token(token);
+ if not grant_id then
module:log("warn", "Failed to verify access token: %s", token_user);
return nil, "invalid-token-format";
end
if token_host ~= module.host then
return nil, "invalid-host";
end
- local ok, err = token_store:set_key(token_user, token_id, nil);
+ local grant, err = _get_validated_grant_info(token_user, grant_id);
+ if not grant then return grant, err; end
+ local secret_hash = "sha256:"..hashes.sha256(token_secret, true);
+ local token_info = grant.tokens[secret_hash];
+ if not grant or not token_info then
+ return nil, "item-not-found";
+ end
+ grant.tokens[secret_hash] = nil;
+ local ok, err = token_store:set_key(token_user, grant_id, grant);
if not ok then
return nil, err;
end
- module:fire_event("token-grant-revoked", { id = token_id, username = token_user, host = token_host });
+ module:fire_event("token-revoked", {
+ grant_id = grant_id;
+ grant = grant;
+ info = token_info;
+ username = token_user;
+ host = token_host;
+ });
return true;
end