open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

refuse oauth authorization code if a token has already been delivered (active token)

Browse Source 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
pull/40766/head
Julien Veyssier 2 years ago
parent 7bba410997
commit 1ab45bad5d
No known key found for this signature in database
GPG Key ID: 4141FEE162030638
1 changed files with 11 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 12
      apps/oauth2/lib/Controller/OauthApiController.php

12
apps/oauth2/lib/Controller/OauthApiController.php
Unescape View File

@ -113,8 +113,18 @@ class OauthApiController extends Controller {
return $response;
}
// check authorization code expiration
if ($grant_type === 'authorization_code') {
// check this token is in authorization code state
$deliveredTokenCount = $accessToken->getTokenCount();
if ($deliveredTokenCount > 0) {
$response = new JSONResponse([
'error' => 'invalid_request',
], Http::STATUS_BAD_REQUEST);
$response->throttle(['invalid_request' => 'authorization_code_received_for_active_token']);
return $response;
}
// check authorization code expiration
$now = $this->timeFactory->now()->getTimestamp();
$tokenCreatedAt = $accessToken->getCreatedAt();
if ($tokenCreatedAt < $now - self::AUTHORIZATION_CODE_EXPIRES_AFTER) {

Write Preview
Loading…
Cancel
Save