check age of auth code

2022-11-07 19:53:32 +01:00 · 2022-11-07 19:53:32 +01:00 · fc4f5a1623
parent 703531834d
commit fc4f5a1623
1 changed files with 5 additions and 1 deletions
--- a/user.go
+++ b/user.go
@ -343,7 +343,11 @@ func (user User) VerifyAuthCode(
 				hash := sha256.Sum256([]byte(code_verifier))
 				return c.CodeChallenge == base64.RawURLEncoding.EncodeToString(hash[:]), c
 			} else if c.CodeChallengeMethod == "" {
-				return true, c
+				// Check age of code
+				// A maximum lifetime of 10 minutes is recommended ( https://indieauth.spec.indieweb.org/#authorization-response)
+				if time.Since(c.Created) < 10*time.Minute {
+					return true, c
+				}
 			}
 		}
 	}