diff --git a/packages/backend/src/server/oauth/OAuth2ProviderService.ts b/packages/backend/src/server/oauth/OAuth2ProviderService.ts index d25f21ff5..18189be83 100644 --- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts +++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts @@ -1,6 +1,5 @@ import dns from 'node:dns/promises'; import { fileURLToPath } from 'node:url'; -import crypto from 'node:crypto'; import { Inject, Injectable } from '@nestjs/common'; import { JSDOM } from 'jsdom'; import httpLinkHeader from 'http-link-header'; @@ -24,6 +23,7 @@ import type { AccessTokensRepository, UsersRepository } from '@/models/index.js' import { IdService } from '@/core/IdService.js'; import { CacheService } from '@/core/CacheService.js'; import type { LocalUser } from '@/models/entities/User.js'; +import { MemoryKVCache } from '@/misc/cache.js'; import type * as Redis from 'ioredis'; import type { FastifyInstance } from 'fastify'; @@ -304,14 +304,14 @@ export class OAuth2ProviderService { // }, // }); - // TODO: store this in Redis - const TEMP_GRANT_CODES: Record = {}; + }>(1000 * 60 * 5); // 5m this.#server.grant(oauth2Pkce.extensions()); this.#server.grant(oauth2orize.grant.code({ @@ -339,25 +339,24 @@ export class OAuth2ProviderService { throw new AuthorizationError('No such user', 'invalid_request'); } - TEMP_GRANT_CODES[code] = { + grantCodeCache.set(code, { clientId: client.id, userId: user.id, redirectUri, codeChallenge: (areq as OAuthRequest).codeChallenge, scopes: areq.scope, - }; + }); return [code]; })().then(args => done(null, ...args), err => done(err)); })); this.#server.exchange(oauth2orize.exchange.authorizationCode((client, code, redirectUri, body, authInfo, done) => { (async (): Promise>> => { - const granted = TEMP_GRANT_CODES[code]; + const granted = grantCodeCache.get(code); console.log(granted, body, code, redirectUri); if (!granted) { - // TODO: throw TokenError? return [false]; } - delete TEMP_GRANT_CODES[code]; + grantCodeCache.delete(code); if (body.client_id !== granted.clientId) return [false]; if (redirectUri !== granted.redirectUri) return [false]; if (!body.code_verifier) return [false];