check age of auth code

This commit is contained in:
Niko Abeler 2022-11-07 19:53:32 +01:00
parent 703531834d
commit fc4f5a1623
1 changed files with 5 additions and 1 deletions

View File

@ -343,10 +343,14 @@ func (user User) VerifyAuthCode(
hash := sha256.Sum256([]byte(code_verifier)) hash := sha256.Sum256([]byte(code_verifier))
return c.CodeChallenge == base64.RawURLEncoding.EncodeToString(hash[:]), c return c.CodeChallenge == base64.RawURLEncoding.EncodeToString(hash[:]), c
} else if c.CodeChallengeMethod == "" { } else if c.CodeChallengeMethod == "" {
// Check age of code
// A maximum lifetime of 10 minutes is recommended ( https://indieauth.spec.indieweb.org/#authorization-response)
if time.Since(c.Created) < 10*time.Minute {
return true, c return true, c
} }
} }
} }
}
return false, AuthCode{} return false, AuthCode{}
} }