From 816d0819f2065caa10dd95915157b3fb3b17f477 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Wed, 12 Apr 2023 10:21:32 +0200 Subject: mod_tokenauth: Only check if expiry of expiring tokens Some tokens, e.g. OAuth2 refresh tokens, might not have their lifetime explicitly bounded here, but rather be bounded by the lifetime of something else, like the OAuth2 client. Open question: Would it be better to enforce a lifetime on all tokens? --- plugins/mod_tokenauth.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua index 1403047b..240e9fbd 100644 --- a/plugins/mod_tokenauth.lua +++ b/plugins/mod_tokenauth.lua @@ -186,7 +186,7 @@ local function _get_validated_token_info(token_id, token_user, token_host, token -- Check expiry local now = os.time(); - if token_info.expires < now then + if token_info.expires and token_info.expires < now then module:log("debug", "Token has expired, cleaning it up"); grant.tokens[secret_hash] = nil; token_store:set_key(token_user, token_id, grant); -- cgit v1.2.3