fix: revoke access token on duplicate auth code user

2026-04-12 16:57:55 +00:00 · 2026-04-11 18:33:19 +03:00
17 changed files with 257 additions and 110 deletions
--- a/frontend/bun.lock
+++ b/frontend/bun.lock
@@ -19,6 +19,7 @@
        "i18next": "^26.0.3",
        "i18next-browser-languagedetector": "^8.2.1",
        "i18next-resources-to-backend": "^1.2.1",
+        "input-otp": "^1.4.2",
        "lucide-react": "^1.7.0",
        "next-themes": "^0.4.6",
        "radix-ui": "^1.4.3",
@@ -622,6 +623,8 @@

    "inline-style-parser": ["inline-style-parser@0.2.4", "", {}, "sha512-0aO8FkhNZlj/ZIbNi7Lxxr12obT7cL1moPfE4tg1LkX7LlLfC6DeX4l2ZEud1ukP9jNQyNnfzQVqwbwmAATY4Q=="],

+    "input-otp": ["input-otp@1.4.2", "", { "peerDependencies": { "react": "^16.8 || ^17.0 || ^18.0 || ^19.0.0 || ^19.0.0-rc", "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0.0 || ^19.0.0-rc" } }, "sha512-l3jWwYNvrEa6NTCt7BECfCm48GvwuZzkoeG3gBL2w4CHeOXW3eKFmf9UNYkNfYc3mxMrthMnxjIE07MT0zLBQA=="],
+
    "is-alphabetical": ["is-alphabetical@2.0.1", "", {}, "sha512-FWyyY60MeTNyeSRpkM2Iry0G9hpr7/9kD40mD/cGQEuilcZYS4okz8SN2Q6rLCJ8gbCt6fN+rC+6tMGS99LaxQ=="],

    "is-alphanumerical": ["is-alphanumerical@2.0.1", "", { "dependencies": { "is-alphabetical": "^2.0.0", "is-decimal": "^2.0.0" } }, "sha512-hmbYhX/9MUMF5uh7tOXyK/n0ZvWpad5caBA17GsC6vyuCqaWliRG5K1qS9inmUhEMaOBIW7/whAnSwveW/LtZw=="],
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -25,6 +25,7 @@
    "i18next": "^26.0.3",
    "i18next-browser-languagedetector": "^8.2.1",
    "i18next-resources-to-backend": "^1.2.1",
+    "input-otp": "^1.4.2",
    "lucide-react": "^1.7.0",
    "next-themes": "^0.4.6",
    "radix-ui": "^1.4.3",
--- a/frontend/src/components/auth/totp-form.tsx
+++ b/frontend/src/components/auth/totp-form.tsx
@@ -1,10 +1,14 @@
 import { Form, FormControl, FormField, FormItem } from "../ui/form";
-import { Input } from "../ui/input";
+import {
+  InputOTP,
+  InputOTPGroup,
+  InputOTPSeparator,
+  InputOTPSlot,
+} from "../ui/input-otp";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { useForm } from "react-hook-form";
 import { totpSchema, TotpSchema } from "@/schemas/totp-schema";
 import { useTranslation } from "react-i18next";
-import { useRef } from "react";
 import z from "zod";

 interface Props {
@@ -15,7 +19,6 @@ interface Props {
 export const TotpForm = (props: Props) => {
  const { formId, onSubmit } = props;
  const { t } = useTranslation();
-  const autoSubmittedRef = useRef(false);

  z.config({
    customError: (iss) =>
@@ -26,19 +29,14 @@ export const TotpForm = (props: Props) => {
    resolver: zodResolver(totpSchema),
  });

-  const handleChange = (e: React.ChangeEvent<HTMLInputElement>) => {
-    const value = e.target.value.replace(/\D/g, "").slice(0, 6);
-    form.setValue("code", value, { shouldDirty: true, shouldValidate: false });
-    if (value.length === 6 && !autoSubmittedRef.current) {
-      autoSubmittedRef.current = true;
-      form.handleSubmit(onSubmit)();
-      return;
+  const handleChange = (value: string) => {
+    form.setValue("code", value, { shouldDirty: true, shouldValidate: true });
+
+    if (value.length === 6) {
+      onSubmit({ code: value });
    }
-    autoSubmittedRef.current = false;
  };

-  // Note: This is not the best UX, ideally we would want https://github.com/guilhermerodz/input-otp
-  // but some password managers cannot autofill the inputs (see #92) so, simple input it is
  return (
    <Form {...form}>
      <form id={formId} onSubmit={form.handleSubmit(onSubmit)}>
@@ -48,17 +46,25 @@ export const TotpForm = (props: Props) => {
          render={({ field }) => (
            <FormItem>
              <FormControl>
-                <Input
+                <InputOTP
+                  maxLength={6}
                  {...field}
-                  type="text"
-                  inputMode="numeric"
                  autoComplete="one-time-code"
                  autoFocus
-                  maxLength={6}
-                  placeholder="XXXXXX"
                  onChange={handleChange}
-                  className="text-center"
-                />
+                >
+                  <InputOTPGroup>
+                    <InputOTPSlot index={0} />
+                    <InputOTPSlot index={1} />
+                    <InputOTPSlot index={2} />
+                  </InputOTPGroup>
+                  <InputOTPSeparator />
+                  <InputOTPGroup>
+                    <InputOTPSlot index={3} />
+                    <InputOTPSlot index={4} />
+                    <InputOTPSlot index={5} />
+                  </InputOTPGroup>
+                </InputOTP>
              </FormControl>
            </FormItem>
          )}
--- a/frontend/src/components/ui/input-otp.tsx
+++ b/frontend/src/components/ui/input-otp.tsx
@@ -0,0 +1,75 @@
+import * as React from "react";
+import { OTPInput, OTPInputContext } from "input-otp";
+import { MinusIcon } from "lucide-react";
+
+import { cn } from "@/lib/utils";
+
+function InputOTP({
+  className,
+  containerClassName,
+  ...props
+}: React.ComponentProps<typeof OTPInput> & {
+  containerClassName?: string;
+}) {
+  return (
+    <OTPInput
+      data-slot="input-otp"
+      containerClassName={cn(
+        "flex items-center gap-2 has-disabled:opacity-50",
+        containerClassName,
+      )}
+      className={cn("disabled:cursor-not-allowed", className)}
+      {...props}
+    />
+  );
+}
+
+function InputOTPGroup({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="input-otp-group"
+      className={cn("flex items-center", className)}
+      {...props}
+    />
+  );
+}
+
+function InputOTPSlot({
+  index,
+  className,
+  ...props
+}: React.ComponentProps<"div"> & {
+  index: number;
+}) {
+  const inputOTPContext = React.useContext(OTPInputContext);
+  const { char, hasFakeCaret, isActive } = inputOTPContext?.slots[index] ?? {};
+
+  return (
+    <div
+      data-slot="input-otp-slot"
+      data-active={isActive}
+      className={cn(
+        "data-[active=true]:border-ring data-[active=true]:ring-ring/50 data-[active=true]:aria-invalid:ring-destructive/20 dark:data-[active=true]:aria-invalid:ring-destructive/40 aria-invalid:border-destructive data-[active=true]:aria-invalid:border-destructive dark:bg-input/30 border-input relative flex h-9 w-9 items-center justify-center border-y border-r text-sm shadow-xs transition-all outline-none first:rounded-l-md first:border-l last:rounded-r-md data-[active=true]:z-10 data-[active=true]:ring-[3px]",
+        className,
+      )}
+      {...props}
+    >
+      {char}
+      {hasFakeCaret && (
+        <div className="pointer-events-none absolute inset-0 flex items-center justify-center">
+          <div className="animate-caret-blink bg-foreground h-4 w-px duration-1000" />
+        </div>
+      )}
+    </div>
+  );
+}
+
+function InputOTPSeparator({ ...props }: React.ComponentProps<"div">) {
+  return (
+    <div data-slot="input-otp-separator" role="separator" {...props}>
+      <MinusIcon />
+    </div>
+  );
+}
+
+export { InputOTP, InputOTPGroup, InputOTPSlot, InputOTPSeparator };
--- a/frontend/src/lib/hooks/oidc.ts
+++ b/frontend/src/lib/hooks/oidc.ts
@@ -11,33 +11,6 @@ export const oidcParamsSchema = z.object({
  code_challenge_method: z.string().optional(),
 });

-function b64urlDecode(s: string): string {
-  const base64 = s.replace(/-/g, "+").replace(/_/g, "/");
-  return atob(base64.padEnd(base64.length + ((4 - (base64.length % 4)) % 4), "="));
-}
-
-function decodeRequestObject(jwt: string): Record<string, string> {
-  try {
-    // Must have exactly 3 parts: header, payload, signature
-    const parts = jwt.split(".");
-    if (parts.length !== 3) return {};
-
-    // Header must specify "alg": "none" and signature must be empty string
-    const header = JSON.parse(b64urlDecode(parts[0]));
-    if (!header || typeof header !== "object" || header.alg !== "none" || parts[2] !== "") return {};
-
-    const payload = JSON.parse(b64urlDecode(parts[1]));
-    if (!payload || typeof payload !== "object" || Array.isArray(payload)) return {};
-    const result: Record<string, string> = {};
-    for (const [k, v] of Object.entries(payload)) {
-      if (typeof v === "string") result[k] = v;
-    }
-    return result;
-  } catch {
-    return {};
-  }
-}
-
 export const useOIDCParams = (
  params: URLSearchParams,
 ): {
@@ -47,15 +20,6 @@ export const useOIDCParams = (
  compiled: string;
 } => {
  const obj = Object.fromEntries(params.entries());
-
-  // RFC 9101 / OIDC Core 6.1: if `request` param present, decode JWT payload
-  // and merge claims over top-level params (JWT claims take precedence)
-  const requestJwt = params.get("request");
-  if (requestJwt) {
-    const claims = decodeRequestObject(requestJwt);
-    Object.assign(obj, claims);
-  }
-
  const parsed = oidcParamsSchema.safeParse(obj);

  if (parsed.success) {
--- a/frontend/src/pages/totp-page.tsx
+++ b/frontend/src/pages/totp-page.tsx
@@ -74,7 +74,7 @@ export const TotpPage = () => {
        <CardTitle className="text-xl">{t("totpTitle")}</CardTitle>
        <CardDescription>{t("totpSubtitle")}</CardDescription>
      </CardHeader>
-      <CardContent>
+      <CardContent className="flex flex-col items-center">
        <TotpForm
          formId={formId}
          onSubmit={(values) => totpMutation.mutate(values)}
--- a/internal/assets/migrations/000008_oidc_coder_user.down.sql
+++ b/internal/assets/migrations/000008_oidc_coder_user.down.sql
@@ -0,0 +1 @@
+ALTER TABLE "oidc_tokens" DROP COLUMN "code_hash";
--- a/internal/assets/migrations/000008_oidc_coder_user.up.sql
+++ b/internal/assets/migrations/000008_oidc_coder_user.up.sql
@@ -0,0 +1 @@
+ALTER TABLE "oidc_tokens" ADD COLUMN "code_hash" TEXT DEFAULT "";
--- a/internal/controller/oidc_controller.go
+++ b/internal/controller/oidc_controller.go
@@ -275,6 +275,9 @@ func (controller *OIDCController) Token(c *gin.Context) {
 	case "authorization_code":
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
+			// Delete the access token just in case
+			controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code))
+
 			if errors.Is(err, service.ErrCodeNotFound) {
 				tlog.App.Warn().Msg("Code not found")
 				c.JSON(400, gin.H{
--- a/internal/controller/oidc_controller_test.go
+++ b/internal/controller/oidc_controller_test.go
@@ -778,6 +778,74 @@ func TestOIDCController(t *testing.T) {
 				assert.NotEmpty(t, error)
 			},
 		},
+		{
+			description: "Ensure access token gets invalidated on double code use",
+			middlewares: []gin.HandlerFunc{
+				simpleCtx,
+			},
+			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
+				authorizeCodeTest, found := getTestByDescription("Ensure authorize succeeds with valid params")
+				assert.True(t, found, "Authorize test not found")
+				authorizeCodeTest(t, router, recorder)
+
+				var res map[string]any
+				err := json.Unmarshal(recorder.Body.Bytes(), &res)
+				assert.NoError(t, err)
+
+				redirectURI := res["redirect_uri"].(string)
+				url, err := url.Parse(redirectURI)
+				assert.NoError(t, err)
+
+				queryParams := url.Query()
+				code := queryParams.Get("code")
+				assert.NotEmpty(t, code)
+
+				reqBody := controller.TokenRequest{
+					GrantType:   "authorization_code",
+					Code:        code,
+					RedirectURI: "https://test.example.com/callback",
+				}
+				reqBodyEncoded, err := query.Values(reqBody)
+				assert.NoError(t, err)
+
+				req := httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				req.SetBasicAuth("some-client-id", "some-client-secret")
+				recorder = httptest.NewRecorder()
+				router.ServeHTTP(recorder, req)
+
+				assert.Equal(t, 200, recorder.Code)
+
+				err = json.Unmarshal(recorder.Body.Bytes(), &res)
+				assert.NoError(t, err)
+
+				accessToken := res["access_token"].(string)
+				assert.NotEmpty(t, accessToken)
+
+				req = httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
+				req.Header.Set("Authorization", "Bearer "+accessToken)
+				recorder = httptest.NewRecorder()
+				router.ServeHTTP(recorder, req)
+				assert.Equal(t, 200, recorder.Code)
+
+				req = httptest.NewRequest("POST", "/api/oidc/token", strings.NewReader(reqBodyEncoded.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				req.SetBasicAuth("some-client-id", "some-client-secret")
+				recorder = httptest.NewRecorder()
+				router.ServeHTTP(recorder, req)
+				assert.Equal(t, 400, recorder.Code)
+
+				req = httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
+				req.Header.Set("Authorization", "Bearer "+accessToken)
+				recorder = httptest.NewRecorder()
+				router.ServeHTTP(recorder, req)
+				assert.Equal(t, 401, recorder.Code)
+
+				err = json.Unmarshal(recorder.Body.Bytes(), &res)
+				assert.NoError(t, err)
+				assert.Equal(t, "invalid_grant", res["error"])
+			},
+		},
 	}

 	app := bootstrap.NewBootstrapApp(config.Config{})
--- a/internal/controller/well_known_controller.go
+++ b/internal/controller/well_known_controller.go
@@ -9,21 +9,19 @@ import (
 )

 type OpenIDConnectConfiguration struct {
-	Issuer                                 string   `json:"issuer"`
-	AuthorizationEndpoint                  string   `json:"authorization_endpoint"`
-	TokenEndpoint                          string   `json:"token_endpoint"`
-	UserinfoEndpoint                       string   `json:"userinfo_endpoint"`
-	JwksUri                                string   `json:"jwks_uri"`
-	ScopesSupported                        []string `json:"scopes_supported"`
-	ResponseTypesSupported                 []string `json:"response_types_supported"`
-	GrantTypesSupported                    []string `json:"grant_types_supported"`
-	SubjectTypesSupported                  []string `json:"subject_types_supported"`
-	IDTokenSigningAlgValuesSupported       []string `json:"id_token_signing_alg_values_supported"`
-	TokenEndpointAuthMethodsSupported      []string `json:"token_endpoint_auth_methods_supported"`
-	ClaimsSupported                        []string `json:"claims_supported"`
-	ServiceDocumentation                   string   `json:"service_documentation"`
-	RequestParameterSupported              bool     `json:"request_parameter_supported"`
-	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
+	Issuer                            string   `json:"issuer"`
+	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
+	TokenEndpoint                     string   `json:"token_endpoint"`
+	UserinfoEndpoint                  string   `json:"userinfo_endpoint"`
+	JwksUri                           string   `json:"jwks_uri"`
+	ScopesSupported                   []string `json:"scopes_supported"`
+	ResponseTypesSupported            []string `json:"response_types_supported"`
+	GrantTypesSupported               []string `json:"grant_types_supported"`
+	SubjectTypesSupported             []string `json:"subject_types_supported"`
+	IDTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported"`
+	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
+	ClaimsSupported                   []string `json:"claims_supported"`
+	ServiceDocumentation              string   `json:"service_documentation"`
 }

 type WellKnownControllerConfig struct{}
@@ -50,21 +48,19 @@ func (controller *WellKnownController) SetupRoutes() {
 func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context) {
 	issuer := controller.oidc.GetIssuer()
 	c.JSON(200, OpenIDConnectConfiguration{
-		Issuer:                                 issuer,
-		AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", issuer),
-		TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", issuer),
-		UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", issuer),
-		JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", issuer),
-		ScopesSupported:                        service.SupportedScopes,
-		ResponseTypesSupported:                 service.SupportedResponseTypes,
-		GrantTypesSupported:                    service.SupportedGrantTypes,
-		SubjectTypesSupported:                  []string{"pairwise"},
-		IDTokenSigningAlgValuesSupported:       []string{"RS256"},
-		TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
-		ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
-		ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
-		RequestParameterSupported:              true,
-		RequestObjectSigningAlgValuesSupported: []string{"none"},
+		Issuer:                            issuer,
+		AuthorizationEndpoint:             fmt.Sprintf("%s/authorize", issuer),
+		TokenEndpoint:                     fmt.Sprintf("%s/api/oidc/token", issuer),
+		UserinfoEndpoint:                  fmt.Sprintf("%s/api/oidc/userinfo", issuer),
+		JwksUri:                           fmt.Sprintf("%s/.well-known/jwks.json", issuer),
+		ScopesSupported:                   service.SupportedScopes,
+		ResponseTypesSupported:            service.SupportedResponseTypes,
+		GrantTypesSupported:               service.SupportedGrantTypes,
+		SubjectTypesSupported:             []string{"pairwise"},
+		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
+		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
+		ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
 	})
 }

--- a/internal/controller/well_known_controller_test.go
+++ b/internal/controller/well_known_controller_test.go
@@ -56,21 +56,19 @@ func TestWellKnownController(t *testing.T) {
 				assert.NoError(t, err)

 				expected := controller.OpenIDConnectConfiguration{
-					Issuer:                                 oidcServiceCfg.Issuer,
-					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
-					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
-					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
-					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
-					ScopesSupported:                        service.SupportedScopes,
-					ResponseTypesSupported:                 service.SupportedResponseTypes,
-					GrantTypesSupported:                    service.SupportedGrantTypes,
-					SubjectTypesSupported:                  []string{"pairwise"},
-					IDTokenSigningAlgValuesSupported:       []string{"RS256"},
-					TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
-					ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
-					ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
-					RequestParameterSupported:              true,
-					RequestObjectSigningAlgValuesSupported: []string{"none"},
+					Issuer:                            oidcServiceCfg.Issuer,
+					AuthorizationEndpoint:             fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
+					TokenEndpoint:                     fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
+					UserinfoEndpoint:                  fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
+					JwksUri:                           fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
+					ScopesSupported:                   service.SupportedScopes,
+					ResponseTypesSupported:            service.SupportedResponseTypes,
+					GrantTypesSupported:               service.SupportedGrantTypes,
+					SubjectTypesSupported:             []string{"pairwise"},
+					IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+					TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
+					ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
+					ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
 				}

 				assert.Equal(t, expected, res)
--- a/internal/repository/models.go
+++ b/internal/repository/models.go
@@ -19,6 +19,7 @@ type OidcToken struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
+	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
--- a/internal/repository/oidc_queries.sql.go
+++ b/internal/repository/oidc_queries.sql.go
@@ -70,11 +70,12 @@ INSERT INTO "oidc_tokens" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
+    "code_hash",
    "nonce"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
-RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `

 type CreateOidcTokenParams struct {
@@ -85,6 +86,7 @@ type CreateOidcTokenParams struct {
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
+	CodeHash              string
 	Nonce                 string
 }

@@ -97,6 +99,7 @@ func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
+		arg.CodeHash,
 		arg.Nonce,
 	)
 	var i OidcToken
@@ -104,6 +107,7 @@ func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
+		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
@@ -198,7 +202,7 @@ func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) (
 const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < ? AND "refresh_token_expires_at" < ?
-RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `

 type DeleteExpiredOidcTokensParams struct {
@@ -219,6 +223,7 @@ func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpired
 			&i.Sub,
 			&i.AccessTokenHash,
 			&i.RefreshTokenHash,
+			&i.CodeHash,
 			&i.Scope,
 			&i.ClientID,
 			&i.TokenExpiresAt,
@@ -268,6 +273,16 @@ func (q *Queries) DeleteOidcToken(ctx context.Context, accessTokenHash string) e
 	return err
 }

+const deleteOidcTokenByCodeHash = `-- name: DeleteOidcTokenByCodeHash :exec
+DELETE FROM "oidc_tokens"
+WHERE "code_hash" = ?
+`
+
+func (q *Queries) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
+	_, err := q.db.ExecContext(ctx, deleteOidcTokenByCodeHash, codeHash)
+	return err
+}
+
 const deleteOidcTokenBySub = `-- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = ?
@@ -375,7 +390,7 @@ func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcC
 }

 const getOidcToken = `-- name: GetOidcToken :one
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "access_token_hash" = ?
 `

@@ -386,6 +401,7 @@ func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (Oid
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
+		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
@@ -396,7 +412,7 @@ func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (Oid
 }

 const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "refresh_token_hash" = ?
 `

@@ -407,6 +423,7 @@ func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHa
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
+		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
@@ -417,7 +434,7 @@ func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHa
 }

 const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
-SELECT sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
+SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "sub" = ?
 `

@@ -428,6 +445,7 @@ func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken,
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
+		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
@@ -463,7 +481,7 @@ UPDATE "oidc_tokens" SET
    "token_expires_at" = ?,
    "refresh_token_expires_at" = ?
 WHERE "refresh_token_hash" = ?
-RETURNING sub, access_token_hash, refresh_token_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
+RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `

 type UpdateOidcTokenByRefreshTokenParams struct {
@@ -487,6 +505,7 @@ func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateO
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
+		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
--- a/internal/service/oidc_service.go
+++ b/internal/service/oidc_service.go
@@ -506,6 +506,7 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OI
 		TokenExpiresAt:        tokenExpiresAt,
 		RefreshTokenExpiresAt: refrshTokenExpiresAt,
 		Nonce:                 codeEntry.Nonce,
+		CodeHash:              codeEntry.CodeHash,
 	})

 	if err != nil {
@@ -590,6 +591,10 @@ func (service *OIDCService) DeleteToken(c *gin.Context, tokenHash string) error
 	return service.queries.DeleteOidcToken(c, tokenHash)
 }

+func (service *OIDCService) DeleteTokenByCodeHash(c *gin.Context, codeHash string) error {
+	return service.queries.DeleteOidcTokenByCodeHash(c, codeHash)
+}
+
 func (service *OIDCService) GetAccessToken(c *gin.Context, tokenHash string) (repository.OidcToken, error) {
 	entry, err := service.queries.GetOidcToken(c, tokenHash)

--- a/sql/oidc_queries.sql
+++ b/sql/oidc_queries.sql
@@ -48,9 +48,10 @@ INSERT INTO "oidc_tokens" (
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
+    "code_hash",
    "nonce"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;

@@ -75,6 +76,10 @@ WHERE "refresh_token_hash" = ?;
 SELECT * FROM "oidc_tokens"
 WHERE "sub" = ?;

+-- name: DeleteOidcTokenByCodeHash :exec
+DELETE FROM "oidc_tokens"
+WHERE "code_hash" = ?;
+
 -- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = ?;
--- a/sql/oidc_schemas.sql
+++ b/sql/oidc_schemas.sql
@@ -13,6 +13,7 @@ CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub" TEXT NOT NULL UNIQUE,
    "access_token_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "refresh_token_hash" TEXT NOT NULL,
+    "code_hash" TEXT NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,
				`@@ -0,0 +1 @@`
				`ALTER TABLE "oidc_tokens" DROP COLUMN "code_hash";`
				`@@ -0,0 +1 @@`
				`ALTER TABLE "oidc_tokens" ADD COLUMN "code_hash" TEXT DEFAULT "";`