barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2026-06-02 17:40:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: ensure no oidc code reuse

Browse Source
This commit is contained in:
Stavros
2026-06-01 12:22:49 +03:00
parent b5770ef305
commit 5caee887de
2 changed files with 46 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/controller/oidc_controller.go
+15
View File
@@ -327,6 +327,18 @@ func (controller *OIDCController) Token(c *gin.Context) {
entry, ok := controller.oidc.GetCodeEntry(controller.oidc.Hash(req.Code), client.ClientID)
if !ok {
// ensure no code reuse
usedCodeSub, ok := controller.oidc.IsCodeUsed(controller.oidc.Hash(req.Code))
if ok {
controller.log.App.Warn().Msg("Code reuse detected")
controller.oidc.DeleteSessionBySub(c, usedCodeSub)
c.JSON(400, gin.H{
"error": "invalid_grant",
})
return
}
controller.log.App.Warn().Msg("Code not found")
c.JSON(400, gin.H{
"error": "invalid_grant",
@@ -334,6 +346,9 @@ func (controller *OIDCController) Token(c *gin.Context) {
return
}
// mark code as used to prevent reuse
controller.oidc.MarkCodeAsUsed(controller.oidc.Hash(req.Code), entry.Userinfo.Sub)
if entry.RedirectURI != req.RedirectURI {
controller.log.App.Warn().Msg("Redirect URI does not match")
c.JSON(400, gin.H{