From fc4f5a16231d665be20c958b471bbdeed134cc72 Mon Sep 17 00:00:00 2001 From: Niko Abeler Date: Mon, 7 Nov 2022 19:53:32 +0100 Subject: [PATCH] check age of auth code --- user.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/user.go b/user.go index 966636f..379f6e8 100644 --- a/user.go +++ b/user.go @@ -343,7 +343,11 @@ func (user User) VerifyAuthCode( hash := sha256.Sum256([]byte(code_verifier)) return c.CodeChallenge == base64.RawURLEncoding.EncodeToString(hash[:]), c } else if c.CodeChallengeMethod == "" { - return true, c + // Check age of code + // A maximum lifetime of 10 minutes is recommended ( https://indieauth.spec.indieweb.org/#authorization-response) + if time.Since(c.Created) < 10*time.Minute { + return true, c + } } } }