From 1ab45bad5d20a62161448c29eb1c3282c1813649 Mon Sep 17 00:00:00 2001
From: Julien Veyssier <julien-nc@posteo.net>
Date: Tue, 29 Aug 2023 12:12:36 +0200
Subject: refuse oauth authorization code if a token has already been delivered
 (active token)

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
---
 apps/oauth2/lib/Controller/OauthApiController.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'apps')

diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php
index 2ac492bd6ac..d1eda92b228 100644
--- a/apps/oauth2/lib/Controller/OauthApiController.php
+++ b/apps/oauth2/lib/Controller/OauthApiController.php
@@ -113,8 +113,18 @@ class OauthApiController extends Controller {
 			return $response;
 		}
 
-		// check authorization code expiration
 		if ($grant_type === 'authorization_code') {
+			// check this token is in authorization code state
+			$deliveredTokenCount = $accessToken->getTokenCount();
+			if ($deliveredTokenCount > 0) {
+				$response = new JSONResponse([
+					'error' => 'invalid_request',
+				], Http::STATUS_BAD_REQUEST);
+				$response->throttle(['invalid_request' => 'authorization_code_received_for_active_token']);
+				return $response;
+			}
+
+			// check authorization code expiration
 			$now = $this->timeFactory->now()->getTimestamp();
 			$tokenCreatedAt = $accessToken->getCreatedAt();
 			if ($tokenCreatedAt < $now - self::AUTHORIZATION_CODE_EXPIRES_AFTER) {
-- 
cgit v1.2.3