[bugfix] Assume default code challenge method of s256 (#4241)

Bumps our oauth2 dependency, and uses *default* code challenge method of S256 instead of plain. Fixes https://codeberg.org/superseriousbusiness/gotosocial/issues/4238 Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4241 Co-authored-by: tobi <tobi.smethurst@protonmail.com> Co-committed-by: tobi <tobi.smethurst@protonmail.com>
2025-10-28 11:12:25 -05:00 · 2025-06-05 11:29:36 +02:00 · 2025-06-05 11:29:36 +02:00 · 118d4e4d03
commit 118d4e4d03
parent 43f1c6d872
6 changed files with 30 additions and 12 deletions
--- a/go.mod
+++ b/go.mod
@ -14,7 +14,7 @@ require (
 	code.superseriousbusiness.org/activity v1.15.0
 	code.superseriousbusiness.org/exif-terminator v0.11.0
 	code.superseriousbusiness.org/httpsig v1.4.0
-	code.superseriousbusiness.org/oauth2/v4 v4.8.0
+	code.superseriousbusiness.org/oauth2/v4 v4.9.0
 	codeberg.org/gruf/go-bitutil v1.1.0
 	codeberg.org/gruf/go-bytesize v1.0.3
 	codeberg.org/gruf/go-byteutil v1.3.0
--- a/go.sum
+++ b/go.sum
@ -8,8 +8,8 @@ code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0 h1:I512jiIeXDC4//
 code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0/go.mod h1:SNHomXNW88o1pFfLHpD4KsCZLfcr4z5dm+xcX5SV10A=
 code.superseriousbusiness.org/httpsig v1.4.0 h1:g9+KQMoTG0oR0II5gYb5pVVdNjbc7CiiuqK8vcZjeQg=
 code.superseriousbusiness.org/httpsig v1.4.0/go.mod h1:i2AKpj/WbA/o/UTvia9TAREzt0jP1AH3T1Uxjyhdzlw=
-code.superseriousbusiness.org/oauth2/v4 v4.8.0 h1:4LVXoPJXKgmDfwDegzBQPNpsdleMaL6YmDgFi6UDgEE=
-code.superseriousbusiness.org/oauth2/v4 v4.8.0/go.mod h1:+RLRBXPkjP/VhIC/46dcZkx3t5IvBSJYOjVCPgeWors=
+code.superseriousbusiness.org/oauth2/v4 v4.9.0 h1:qf97GgsWKwJW8+m8puTIh+CUpPuhGvY5c7x8jAcnb8M=
+code.superseriousbusiness.org/oauth2/v4 v4.9.0/go.mod h1:+RLRBXPkjP/VhIC/46dcZkx3t5IvBSJYOjVCPgeWors=
 codeberg.org/gruf/go-bitutil v1.1.0 h1:U1Q+A1mtnPk+npqYrlRBc9ar2C5hYiBd17l1Wrp2Bt8=
 codeberg.org/gruf/go-bitutil v1.1.0/go.mod h1:rGibFevYTQfYKcPv0Df5KpG8n5xC3AfD4d/UgYeoNy0=
 codeberg.org/gruf/go-bytesize v1.0.3 h1:Tz8tCxhPLeyM5VryuBNjUHgKmLj4Bx9RbPaUSA3qg6g=
@ -326,8 +326,6 @@ github.com/moul/http2curl v1.0.0 h1:dRMWoAtb+ePxMlLkrCbAqh4TlPHXvoGUSQ323/9Zahs=
 github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/ncruces/go-sqlite3 v0.25.2 h1:suu3C7y92hPqozqO8+w3K333Q1VhWyN6K3JJKXdtC2U=
-github.com/ncruces/go-sqlite3 v0.25.2/go.mod h1:46HIzeCQQ+aNleAxCli+vpA2tfh7ttSnw24kQahBc1o=
 github.com/ncruces/go-sqlite3 v0.26.0 h1:dY6ASfuhSEbtSge6kJwjyJVC7bXCpgEVOycmdboKJek=
 github.com/ncruces/go-sqlite3 v0.26.0/go.mod h1:46HIzeCQQ+aNleAxCli+vpA2tfh7ttSnw24kQahBc1o=
 github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
--- a/internal/oauth/server.go
+++ b/internal/oauth/server.go
@ -128,6 +128,7 @@ func New(
 			AllowedCodeChallengeMethods: []oauth2.CodeChallengeMethod{
 				oauth2.CodeChallengeS256,
 			},
+			DefaultCodeChallengeMethod: oauth2.CodeChallengeS256,
 		},
 		manager,
 	)
--- a/vendor/code.superseriousbusiness.org/oauth2/v4/server/config.go
+++ b/vendor/code.superseriousbusiness.org/oauth2/v4/server/config.go
@ -9,12 +9,27 @@ import (

 // Config configuration parameters
 type Config struct {
-	TokenType                   string                // token type
-	AllowGetAccessRequest       bool                  // to allow GET requests for the token
-	AllowedResponseTypes        []oauth2.ResponseType // allow the authorization type
-	AllowedGrantTypes           []oauth2.GrantType    // allow the grant type
+	// token type
+	TokenType string
+
+	// to allow GET requests for the token
+	AllowGetAccessRequest bool
+
+	// allow the authorization type
+	AllowedResponseTypes []oauth2.ResponseType
+
+	// allow the grant type
+	AllowedGrantTypes []oauth2.GrantType
+
+	// Allowed values for "code_challenge_method".
 	AllowedCodeChallengeMethods []oauth2.CodeChallengeMethod
-	ForcePKCE                   bool
+
+	// Default to fall back to
+	// if "code_challenge_method"
+	// was not set in the request.
+	DefaultCodeChallengeMethod oauth2.CodeChallengeMethod
+
+	ForcePKCE bool
 }

 // NewConfig create to configuration instance
--- a/vendor/code.superseriousbusiness.org/oauth2/v4/server/server.go
+++ b/vendor/code.superseriousbusiness.org/oauth2/v4/server/server.go
@ -1,6 +1,7 @@
 package server

 import (
+	"cmp"
 	"context"
 	"encoding/json"
 	"fmt"
@ -176,7 +177,10 @@ func (s *Server) ValidationAuthorizeRequest(r *http.Request) (*AuthorizeRequest,
 	ccm := oauth2.CodeChallengeMethod(r.FormValue("code_challenge_method"))
 	// set default
 	if ccm == "" {
-		ccm = oauth2.CodeChallengePlain
+		ccm = cmp.Or(
+			s.Config.DefaultCodeChallengeMethod,
+			oauth2.CodeChallengePlain,
+		)
 	}
 	if ccm.String() != "" && !s.CheckCodeChallengeMethod(ccm) {
 		return nil, errors.ErrUnsupportedCodeChallengeMethod
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -207,7 +207,7 @@ code.superseriousbusiness.org/go-png-image-structure/v2
 # code.superseriousbusiness.org/httpsig v1.4.0
 ## explicit; go 1.21
 code.superseriousbusiness.org/httpsig
-# code.superseriousbusiness.org/oauth2/v4 v4.8.0
+# code.superseriousbusiness.org/oauth2/v4 v4.9.0
 ## explicit; go 1.23.0
 code.superseriousbusiness.org/oauth2/v4
 code.superseriousbusiness.org/oauth2/v4/errors