check age of auth code

This commit is contained in:
Niko Abeler 2022-11-07 19:53:32 +01:00
parent 703531834d
commit fc4f5a1623
1 changed files with 5 additions and 1 deletions

View File

@ -343,7 +343,11 @@ func (user User) VerifyAuthCode(
hash := sha256.Sum256([]byte(code_verifier)) hash := sha256.Sum256([]byte(code_verifier))
return c.CodeChallenge == base64.RawURLEncoding.EncodeToString(hash[:]), c return c.CodeChallenge == base64.RawURLEncoding.EncodeToString(hash[:]), c
} else if c.CodeChallengeMethod == "" { } else if c.CodeChallengeMethod == "" {
return true, c // Check age of code
// A maximum lifetime of 10 minutes is recommended ( https://indieauth.spec.indieweb.org/#authorization-response)
if time.Since(c.Created) < 10*time.Minute {
return true, c
}
} }
} }
} }