diff options
| author | Julien Veyssier <julien-nc@posteo.net> | 2023-08-29 12:12:36 +0200 |
|---|---|---|
| committer | Julien Veyssier <julien-nc@posteo.net> | 2023-10-05 14:24:02 +0200 |
| commit | 1ab45bad5d20a62161448c29eb1c3282c1813649 (patch) | |
| tree | 44e967a113bbd0e515b46649b316433f77e6d941 /apps/oauth2/lib | |
| parent | 7bba41099753ca3e28ae5ee22f2460e5cd989250 (diff) | |
| download | nextcloud-server-1ab45bad5d20a62161448c29eb1c3282c1813649.tar.gz nextcloud-server-1ab45bad5d20a62161448c29eb1c3282c1813649.zip | |
refuse oauth authorization code if a token has already been delivered (active token)
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
Diffstat (limited to 'apps/oauth2/lib')
| -rw-r--r-- | apps/oauth2/lib/Controller/OauthApiController.php | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php index 2ac492bd6ac..d1eda92b228 100644 --- a/apps/oauth2/lib/Controller/OauthApiController.php +++ b/apps/oauth2/lib/Controller/OauthApiController.php @@ -113,8 +113,18 @@ class OauthApiController extends Controller { return $response; } - // check authorization code expiration if ($grant_type === 'authorization_code') { + // check this token is in authorization code state + $deliveredTokenCount = $accessToken->getTokenCount(); + if ($deliveredTokenCount > 0) { + $response = new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + $response->throttle(['invalid_request' => 'authorization_code_received_for_active_token']); + return $response; + } + + // check authorization code expiration $now = $this->timeFactory->now()->getTimestamp(); $tokenCreatedAt = $accessToken->getCreatedAt(); if ($tokenCreatedAt < $now - self::AUTHORIZATION_CODE_EXPIRES_AFTER) { |