public/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-02-07 09:49:41 +09:00
Code Issues Packages Projects Releases Wiki Activity

Fix oauth2 s256 (#36462)

Browse Source
This commit is contained in:
Lunny Xiao
2026-01-27 21:42:07 -08:00
committed by GitHub
parent 224b7881d9
commit bf8d11bb21
2 changed files with 40 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
routers/web/auth/oauth2_provider.go
View File

@@ -230,8 +230,7 @@ func AuthorizeOAuth(ctx *context.Context) {
// pkce support // pkce support
switch form.CodeChallengeMethod { switch form.CodeChallengeMethod {
case "S256": case "S256", "plain":
case "plain":
if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil { if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {
handleAuthorizeError(ctx, AuthorizeError{ handleAuthorizeError(ctx, AuthorizeError{
ErrorCode: ErrorCodeServerError, ErrorCode: ErrorCodeServerError,

39
tests/integration/oauth_test.go
View File

@@ -10,6 +10,7 @@ import (
"io" "io"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"net/url"
"strings" "strings"
"testing" "testing"
@@ -94,6 +95,44 @@ func TestAuthorizeShow(t *testing.T) {
AssertHTMLElement(t, htmlDoc, "#authorize-app", true) AssertHTMLElement(t, htmlDoc, "#authorize-app", true)
} }
func TestAuthorizeGrantS256RequiresVerifier(t *testing.T) {
defer tests.PrepareTestEnv(t)()
ctx := loginUser(t, "user4")
codeChallenge := "CjvyTLSdR47G5zYenDA-eDWW4lRrO8yvjcWwbD_deOg"
req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=a&response_type=code&state=thestate&code_challenge_method=S256&code_challenge="+url.QueryEscape(codeChallenge))
resp := ctx.MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body)
AssertHTMLElement(t, htmlDoc, "#authorize-app", true)
grantReq := NewRequestWithValues(t, "POST", "/login/oauth/grant", map[string]string{
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"state": "thestate",
"scope": "",
"nonce": "",
"redirect_uri": "a",
"granted": "true",
})
grantResp := ctx.MakeRequest(t, grantReq, http.StatusSeeOther)
u, err := grantResp.Result().Location()
assert.NoError(t, err)
code := u.Query().Get("code")
assert.NotEmpty(t, code)
accessReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
"grant_type": "authorization_code",
"client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
"redirect_uri": "a",
"code": code,
})
accessResp := MakeRequest(t, accessReq, http.StatusBadRequest)
parsedError := new(oauth2_provider.AccessTokenError)
assert.NoError(t, json.Unmarshal(accessResp.Body.Bytes(), parsedError))
assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
assert.Equal(t, "failed PKCE code challenge", parsedError.ErrorDescription)
}
func TestAuthorizeRedirectWithExistingGrant(t *testing.T) { func TestAuthorizeRedirectWithExistingGrant(t *testing.T) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()
req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=https%3A%2F%2Fexample.com%2Fxyzzy&response_type=code&state=thestate") req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=https%3A%2F%2Fexample.com%2Fxyzzy&response_type=code&state=thestate")