From 36afd999b1042b997ae59c81dce755fb01ee2b11 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Thu, 6 Oct 2022 15:59:07 +0100
Subject: mod_tokenauth: Invalidate tokens issued before most recent password
 change

This is a security improvement, to ensure that sessions authenticated using a
token (note: not currently possible in stock Prosody) are invalidated just
like password-authenticated sessions are.
---
 plugins/mod_tokenauth.lua | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'plugins')

diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua
index 85602747..450e2f0a 100644
--- a/plugins/mod_tokenauth.lua
+++ b/plugins/mod_tokenauth.lua
@@ -68,6 +68,12 @@ local function _get_parsed_token_info(token_id, token_user, token_host)
 		return nil, "not-authorized";
 	end
 
+	local account_info = usermanager.get_account_info(token_user, module.host);
+	local password_updated_at = account_info and account_info.password_updated;
+	if password_updated_at and password_updated_at > token_info.created then
+		return nil, "not-authorized";
+	end
+
 	return token_info
 end
 
-- 
cgit v1.2.3