Refuse to deliver token if code_verifier
is present without code challenge
This commit is contained in:
parent
d7344feb9b
commit
0e02b63d93
@ -319,9 +319,10 @@ pub async fn token(req: HttpRequest,
|
|||||||
if !chall.verify_code(code_verifier) {
|
if !chall.verify_code(code_verifier) {
|
||||||
return Ok(error_response(&query, "invalid_grant", "Invalid code verifier"));
|
return Ok(error_response(&query, "invalid_grant", "Invalid code verifier"));
|
||||||
}
|
}
|
||||||
|
} else if q.code_verifier.is_some() {
|
||||||
|
return Ok(error_response(&query, "invalid_grant", "Unexpected `code_verifier` parameter!"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
if session.access_token.is_some() {
|
if session.access_token.is_some() {
|
||||||
return Ok(error_response(&query, "invalid_request", "Authorization code already used!"));
|
return Ok(error_response(&query, "invalid_request", "Authorization code already used!"));
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user