From daa18efc99b5293187eb0427a11d39ecb6d53c02 Mon Sep 17 00:00:00 2001 From: Kagami Sascha Rosylight Date: Fri, 23 Jun 2023 01:53:27 +0200 Subject: [PATCH] generate the code later --- packages/backend/src/server/oauth/OAuth2ProviderService.ts | 6 ++++-- packages/frontend/src/pages/oauth.vue | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/packages/backend/src/server/oauth/OAuth2ProviderService.ts b/packages/backend/src/server/oauth/OAuth2ProviderService.ts index fa5299dbc..8bbbfa5d6 100644 --- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts +++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts @@ -238,14 +238,14 @@ export class OAuth2ProviderService { used?: boolean, }>(1000 * 60 * 5); // expires after 5m - // https://datatracker.ietf.org/doc/html/rfc7636.html + // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics + // Authorization servers MUST support PKCE [RFC7636]. this.#server.grant(oauth2Pkce.extensions()); this.#server.grant(oauth2orize.grant.code({ modes: getQueryMode(config.url), }, (client, redirectUri, token, ares, areq, locals, done) => { (async (): Promise>> => { this.#logger.info(`Checking the user before sending authorization code to ${client.id}`); - const code = secureRndstr(128, true); if (!token) { throw new AuthorizationError('No user', 'invalid_request'); @@ -257,6 +257,8 @@ export class OAuth2ProviderService { } this.#logger.info(`Sending authorization code on behalf of user ${user.id} to ${client.id} through ${redirectUri}, with scope: [${areq.scope}]`); + + const code = secureRndstr(128, true); grantCodeCache.set(code, { clientId: client.id, userId: user.id, diff --git a/packages/frontend/src/pages/oauth.vue b/packages/frontend/src/pages/oauth.vue index e0d126cb3..94ad8e6d3 100644 --- a/packages/frontend/src/pages/oauth.vue +++ b/packages/frontend/src/pages/oauth.vue @@ -1,7 +1,7 @@