From 118d4e4d0361c7bc52c3092ba34273a31122c0db Mon Sep 17 00:00:00 2001 From: tobi Date: Thu, 5 Jun 2025 11:29:36 +0200 Subject: [PATCH] [bugfix] Assume default code challenge method of s256 (#4241) Bumps our oauth2 dependency, and uses *default* code challenge method of S256 instead of plain. Fixes https://codeberg.org/superseriousbusiness/gotosocial/issues/4238 Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4241 Co-authored-by: tobi Co-committed-by: tobi --- go.mod | 2 +- go.sum | 6 ++--- internal/oauth/server.go | 1 + .../oauth2/v4/server/config.go | 25 +++++++++++++++---- .../oauth2/v4/server/server.go | 6 ++++- vendor/modules.txt | 2 +- 6 files changed, 30 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index bae440989..6f827bab8 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( code.superseriousbusiness.org/activity v1.15.0 code.superseriousbusiness.org/exif-terminator v0.11.0 code.superseriousbusiness.org/httpsig v1.4.0 - code.superseriousbusiness.org/oauth2/v4 v4.8.0 + code.superseriousbusiness.org/oauth2/v4 v4.9.0 codeberg.org/gruf/go-bitutil v1.1.0 codeberg.org/gruf/go-bytesize v1.0.3 codeberg.org/gruf/go-byteutil v1.3.0 diff --git a/go.sum b/go.sum index 9e58407f9..23adfc37c 100644 --- a/go.sum +++ b/go.sum @@ -8,8 +8,8 @@ code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0 h1:I512jiIeXDC4// code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0/go.mod h1:SNHomXNW88o1pFfLHpD4KsCZLfcr4z5dm+xcX5SV10A= code.superseriousbusiness.org/httpsig v1.4.0 h1:g9+KQMoTG0oR0II5gYb5pVVdNjbc7CiiuqK8vcZjeQg= code.superseriousbusiness.org/httpsig v1.4.0/go.mod h1:i2AKpj/WbA/o/UTvia9TAREzt0jP1AH3T1Uxjyhdzlw= -code.superseriousbusiness.org/oauth2/v4 v4.8.0 h1:4LVXoPJXKgmDfwDegzBQPNpsdleMaL6YmDgFi6UDgEE= -code.superseriousbusiness.org/oauth2/v4 v4.8.0/go.mod h1:+RLRBXPkjP/VhIC/46dcZkx3t5IvBSJYOjVCPgeWors= +code.superseriousbusiness.org/oauth2/v4 v4.9.0 h1:qf97GgsWKwJW8+m8puTIh+CUpPuhGvY5c7x8jAcnb8M= +code.superseriousbusiness.org/oauth2/v4 v4.9.0/go.mod h1:+RLRBXPkjP/VhIC/46dcZkx3t5IvBSJYOjVCPgeWors= codeberg.org/gruf/go-bitutil v1.1.0 h1:U1Q+A1mtnPk+npqYrlRBc9ar2C5hYiBd17l1Wrp2Bt8= codeberg.org/gruf/go-bitutil v1.1.0/go.mod h1:rGibFevYTQfYKcPv0Df5KpG8n5xC3AfD4d/UgYeoNy0= codeberg.org/gruf/go-bytesize v1.0.3 h1:Tz8tCxhPLeyM5VryuBNjUHgKmLj4Bx9RbPaUSA3qg6g= @@ -326,8 +326,6 @@ github.com/moul/http2curl v1.0.0 h1:dRMWoAtb+ePxMlLkrCbAqh4TlPHXvoGUSQ323/9Zahs= github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/ncruces/go-sqlite3 v0.25.2 h1:suu3C7y92hPqozqO8+w3K333Q1VhWyN6K3JJKXdtC2U= -github.com/ncruces/go-sqlite3 v0.25.2/go.mod h1:46HIzeCQQ+aNleAxCli+vpA2tfh7ttSnw24kQahBc1o= github.com/ncruces/go-sqlite3 v0.26.0 h1:dY6ASfuhSEbtSge6kJwjyJVC7bXCpgEVOycmdboKJek= github.com/ncruces/go-sqlite3 v0.26.0/go.mod h1:46HIzeCQQ+aNleAxCli+vpA2tfh7ttSnw24kQahBc1o= github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4= diff --git a/internal/oauth/server.go b/internal/oauth/server.go index 05872318a..b61a86ea1 100644 --- a/internal/oauth/server.go +++ b/internal/oauth/server.go @@ -128,6 +128,7 @@ func New( AllowedCodeChallengeMethods: []oauth2.CodeChallengeMethod{ oauth2.CodeChallengeS256, }, + DefaultCodeChallengeMethod: oauth2.CodeChallengeS256, }, manager, ) diff --git a/vendor/code.superseriousbusiness.org/oauth2/v4/server/config.go b/vendor/code.superseriousbusiness.org/oauth2/v4/server/config.go index 7894f4003..4e3b1a475 100644 --- a/vendor/code.superseriousbusiness.org/oauth2/v4/server/config.go +++ b/vendor/code.superseriousbusiness.org/oauth2/v4/server/config.go @@ -9,12 +9,27 @@ import ( // Config configuration parameters type Config struct { - TokenType string // token type - AllowGetAccessRequest bool // to allow GET requests for the token - AllowedResponseTypes []oauth2.ResponseType // allow the authorization type - AllowedGrantTypes []oauth2.GrantType // allow the grant type + // token type + TokenType string + + // to allow GET requests for the token + AllowGetAccessRequest bool + + // allow the authorization type + AllowedResponseTypes []oauth2.ResponseType + + // allow the grant type + AllowedGrantTypes []oauth2.GrantType + + // Allowed values for "code_challenge_method". AllowedCodeChallengeMethods []oauth2.CodeChallengeMethod - ForcePKCE bool + + // Default to fall back to + // if "code_challenge_method" + // was not set in the request. + DefaultCodeChallengeMethod oauth2.CodeChallengeMethod + + ForcePKCE bool } // NewConfig create to configuration instance diff --git a/vendor/code.superseriousbusiness.org/oauth2/v4/server/server.go b/vendor/code.superseriousbusiness.org/oauth2/v4/server/server.go index 82f6ff8c3..91b9effb7 100644 --- a/vendor/code.superseriousbusiness.org/oauth2/v4/server/server.go +++ b/vendor/code.superseriousbusiness.org/oauth2/v4/server/server.go @@ -1,6 +1,7 @@ package server import ( + "cmp" "context" "encoding/json" "fmt" @@ -176,7 +177,10 @@ func (s *Server) ValidationAuthorizeRequest(r *http.Request) (*AuthorizeRequest, ccm := oauth2.CodeChallengeMethod(r.FormValue("code_challenge_method")) // set default if ccm == "" { - ccm = oauth2.CodeChallengePlain + ccm = cmp.Or( + s.Config.DefaultCodeChallengeMethod, + oauth2.CodeChallengePlain, + ) } if ccm.String() != "" && !s.CheckCodeChallengeMethod(ccm) { return nil, errors.ErrUnsupportedCodeChallengeMethod diff --git a/vendor/modules.txt b/vendor/modules.txt index dfeb502bd..1f67922bf 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -207,7 +207,7 @@ code.superseriousbusiness.org/go-png-image-structure/v2 # code.superseriousbusiness.org/httpsig v1.4.0 ## explicit; go 1.21 code.superseriousbusiness.org/httpsig -# code.superseriousbusiness.org/oauth2/v4 v4.8.0 +# code.superseriousbusiness.org/oauth2/v4 v4.9.0 ## explicit; go 1.23.0 code.superseriousbusiness.org/oauth2/v4 code.superseriousbusiness.org/oauth2/v4/errors