[bugfix] Assume default code challenge method of s256 (#4241)

Bumps our oauth2 dependency, and uses *default* code challenge method of S256 instead of plain. Fixes https://codeberg.org/superseriousbusiness/gotosocial/issues/4238 Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4241 Co-authored-by: tobi <tobi.smethurst@protonmail.com> Co-committed-by: tobi <tobi.smethurst@protonmail.com>
2025-10-28 20:02:24 -05:00 · 2025-06-05 11:29:36 +02:00 · 2025-06-05 11:29:36 +02:00 · 118d4e4d03
commit 118d4e4d03
parent 43f1c6d872
6 changed files with 30 additions and 12 deletions
--- a/vendor/code.superseriousbusiness.org/oauth2/v4/server/config.go
+++ b/vendor/code.superseriousbusiness.org/oauth2/v4/server/config.go
@ -9,12 +9,27 @@ import (

 // Config configuration parameters
 type Config struct {
-	TokenType                   string                // token type
-	AllowGetAccessRequest       bool                  // to allow GET requests for the token
-	AllowedResponseTypes        []oauth2.ResponseType // allow the authorization type
-	AllowedGrantTypes           []oauth2.GrantType    // allow the grant type
+	// token type
+	TokenType string
+
+	// to allow GET requests for the token
+	AllowGetAccessRequest bool
+
+	// allow the authorization type
+	AllowedResponseTypes []oauth2.ResponseType
+
+	// allow the grant type
+	AllowedGrantTypes []oauth2.GrantType
+
+	// Allowed values for "code_challenge_method".
 	AllowedCodeChallengeMethods []oauth2.CodeChallengeMethod
-	ForcePKCE                   bool
+
+	// Default to fall back to
+	// if "code_challenge_method"
+	// was not set in the request.
+	DefaultCodeChallengeMethod oauth2.CodeChallengeMethod
+
+	ForcePKCE bool
 }

 // NewConfig create to configuration instance
--- a/vendor/code.superseriousbusiness.org/oauth2/v4/server/server.go
+++ b/vendor/code.superseriousbusiness.org/oauth2/v4/server/server.go
@ -1,6 +1,7 @@
 package server

 import (
+	"cmp"
 	"context"
 	"encoding/json"
 	"fmt"
@ -176,7 +177,10 @@ func (s *Server) ValidationAuthorizeRequest(r *http.Request) (*AuthorizeRequest,
 	ccm := oauth2.CodeChallengeMethod(r.FormValue("code_challenge_method"))
 	// set default
 	if ccm == "" {
-		ccm = oauth2.CodeChallengePlain
+		ccm = cmp.Or(
+			s.Config.DefaultCodeChallengeMethod,
+			oauth2.CodeChallengePlain,
+		)
 	}
 	if ccm.String() != "" && !s.CheckCodeChallengeMethod(ccm) {
 		return nil, errors.ErrUnsupportedCodeChallengeMethod
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -207,7 +207,7 @@ code.superseriousbusiness.org/go-png-image-structure/v2
 # code.superseriousbusiness.org/httpsig v1.4.0
 ## explicit; go 1.21
 code.superseriousbusiness.org/httpsig
-# code.superseriousbusiness.org/oauth2/v4 v4.8.0
+# code.superseriousbusiness.org/oauth2/v4 v4.9.0
 ## explicit; go 1.23.0
 code.superseriousbusiness.org/oauth2/v4
 code.superseriousbusiness.org/oauth2/v4/errors