From 0cd9aba8e27235e1bcb741d7b5f2026827923f14 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 16 Oct 2023 23:51:52 +0200 Subject: mod_tokenauth: Delete grants without tokens after period Generally it is expected that a grant would have at least one token as long as the grant is in active use. Refresh tokens issued by mod_http_oauth2 have a lifetime of one week by default, so the idea here is that if that refresh token expired and another week goes by without the grant being used, then the whole grant can be removed. --- plugins/mod_tokenauth.lua | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua index 220f6b87..7bf19e9d 100644 --- a/plugins/mod_tokenauth.lua +++ b/plugins/mod_tokenauth.lua @@ -9,6 +9,7 @@ local generate_identifier = require "prosody.util.id".short; local token_store = module:open_store("auth_tokens", "keyval+"); local access_time_granularity = module:get_option_period("token_auth_access_time_granularity", 60); +local empty_grant_lifetime = module:get_option_period("tokenless_grant_ttl", "2w"); local function select_role(username, host, role_name) if not role_name then return end @@ -171,6 +172,13 @@ local function _get_validated_grant_info(username, grant) grant.tokens[secret_hash] = nil; end end + + if not grant.expires and next(grant.tokens) == nil and grant.accessed + empty_grant_lifetime < now then + module:log("debug", "Token grant has no tokens, discarding"); + token_store:set_key(username, grant.id, nil); + return nil, "expired"; + end + return grant; end -- cgit v1.2.3