From 0e02b63d93b56b711fce66bd3f676e4fd684c429 Mon Sep 17 00:00:00 2001
From: Pierre Hubert <pierre.git@communiquons.org>
Date: Wed, 20 Apr 2022 09:52:00 +0200
Subject: [PATCH] Refuse to deliver token if `code_verifier` is present without
 code challenge

---
 src/controllers/openid_controller.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/controllers/openid_controller.rs b/src/controllers/openid_controller.rs
index 625884d..cd14a46 100644
--- a/src/controllers/openid_controller.rs
+++ b/src/controllers/openid_controller.rs
@@ -319,9 +319,10 @@ pub async fn token(req: HttpRequest,
                 if !chall.verify_code(code_verifier) {
                     return Ok(error_response(&query, "invalid_grant", "Invalid code verifier"));
                 }
+            } else if q.code_verifier.is_some() {
+                return Ok(error_response(&query, "invalid_grant", "Unexpected `code_verifier` parameter!"));
             }
 
-
             if session.access_token.is_some() {
                 return Ok(error_response(&query, "invalid_request", "Authorization code already used!"));
             }