mirrors/gotosocial
1
0
Fork 0
mirror of https://github.com/superseriousbusiness/gotosocial.git synced 2025-10-28 20:02:24 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

[bugfix] Assume default code challenge method of s256 (#4241)

Browse source 
Bumps our oauth2 dependency, and uses *default* code challenge method of S256 instead of plain.

Fixes https://codeberg.org/superseriousbusiness/gotosocial/issues/4238

Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4241
Co-authored-by: tobi <tobi.smethurst@protonmail.com>
Co-committed-by: tobi <tobi.smethurst@protonmail.com>
This commit is contained in:
tobi 2025-06-05 11:29:36 +02:00 committed by tobi
commit 118d4e4d03
6 changed files with 30 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

2
go.mod
View file

@ -14,7 +14,7 @@ require (
code.superseriousbusiness.org/activity v1.15.0 code.superseriousbusiness.org/activity v1.15.0
code.superseriousbusiness.org/exif-terminator v0.11.0 code.superseriousbusiness.org/exif-terminator v0.11.0
code.superseriousbusiness.org/httpsig v1.4.0 code.superseriousbusiness.org/httpsig v1.4.0
code.superseriousbusiness.org/oauth2/v4 v4.8.0 code.superseriousbusiness.org/oauth2/v4 v4.9.0
codeberg.org/gruf/go-bitutil v1.1.0 codeberg.org/gruf/go-bitutil v1.1.0
codeberg.org/gruf/go-bytesize v1.0.3 codeberg.org/gruf/go-bytesize v1.0.3
codeberg.org/gruf/go-byteutil v1.3.0 codeberg.org/gruf/go-byteutil v1.3.0

6
go.sum generated
View file

@ -8,8 +8,8 @@ code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0 h1:I512jiIeXDC4//
code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0/go.mod h1:SNHomXNW88o1pFfLHpD4KsCZLfcr4z5dm+xcX5SV10A= code.superseriousbusiness.org/go-png-image-structure/v2 v2.3.0/go.mod h1:SNHomXNW88o1pFfLHpD4KsCZLfcr4z5dm+xcX5SV10A=
code.superseriousbusiness.org/httpsig v1.4.0 h1:g9+KQMoTG0oR0II5gYb5pVVdNjbc7CiiuqK8vcZjeQg= code.superseriousbusiness.org/httpsig v1.4.0 h1:g9+KQMoTG0oR0II5gYb5pVVdNjbc7CiiuqK8vcZjeQg=
code.superseriousbusiness.org/httpsig v1.4.0/go.mod h1:i2AKpj/WbA/o/UTvia9TAREzt0jP1AH3T1Uxjyhdzlw= code.superseriousbusiness.org/httpsig v1.4.0/go.mod h1:i2AKpj/WbA/o/UTvia9TAREzt0jP1AH3T1Uxjyhdzlw=
code.superseriousbusiness.org/oauth2/v4 v4.8.0 h1:4LVXoPJXKgmDfwDegzBQPNpsdleMaL6YmDgFi6UDgEE= code.superseriousbusiness.org/oauth2/v4 v4.9.0 h1:qf97GgsWKwJW8+m8puTIh+CUpPuhGvY5c7x8jAcnb8M=
code.superseriousbusiness.org/oauth2/v4 v4.8.0/go.mod h1:+RLRBXPkjP/VhIC/46dcZkx3t5IvBSJYOjVCPgeWors= code.superseriousbusiness.org/oauth2/v4 v4.9.0/go.mod h1:+RLRBXPkjP/VhIC/46dcZkx3t5IvBSJYOjVCPgeWors=
codeberg.org/gruf/go-bitutil v1.1.0 h1:U1Q+A1mtnPk+npqYrlRBc9ar2C5hYiBd17l1Wrp2Bt8= codeberg.org/gruf/go-bitutil v1.1.0 h1:U1Q+A1mtnPk+npqYrlRBc9ar2C5hYiBd17l1Wrp2Bt8=
codeberg.org/gruf/go-bitutil v1.1.0/go.mod h1:rGibFevYTQfYKcPv0Df5KpG8n5xC3AfD4d/UgYeoNy0= codeberg.org/gruf/go-bitutil v1.1.0/go.mod h1:rGibFevYTQfYKcPv0Df5KpG8n5xC3AfD4d/UgYeoNy0=
codeberg.org/gruf/go-bytesize v1.0.3 h1:Tz8tCxhPLeyM5VryuBNjUHgKmLj4Bx9RbPaUSA3qg6g= codeberg.org/gruf/go-bytesize v1.0.3 h1:Tz8tCxhPLeyM5VryuBNjUHgKmLj4Bx9RbPaUSA3qg6g=
@ -326,8 +326,6 @@ github.com/moul/http2curl v1.0.0 h1:dRMWoAtb+ePxMlLkrCbAqh4TlPHXvoGUSQ323/9Zahs=
github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ= github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/ncruces/go-sqlite3 v0.25.2 h1:suu3C7y92hPqozqO8+w3K333Q1VhWyN6K3JJKXdtC2U=
github.com/ncruces/go-sqlite3 v0.25.2/go.mod h1:46HIzeCQQ+aNleAxCli+vpA2tfh7ttSnw24kQahBc1o=
github.com/ncruces/go-sqlite3 v0.26.0 h1:dY6ASfuhSEbtSge6kJwjyJVC7bXCpgEVOycmdboKJek= github.com/ncruces/go-sqlite3 v0.26.0 h1:dY6ASfuhSEbtSge6kJwjyJVC7bXCpgEVOycmdboKJek=
github.com/ncruces/go-sqlite3 v0.26.0/go.mod h1:46HIzeCQQ+aNleAxCli+vpA2tfh7ttSnw24kQahBc1o= github.com/ncruces/go-sqlite3 v0.26.0/go.mod h1:46HIzeCQQ+aNleAxCli+vpA2tfh7ttSnw24kQahBc1o=
github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4= github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=

1
internal/oauth/server.go
View file

@ -128,6 +128,7 @@ func New(
AllowedCodeChallengeMethods: []oauth2.CodeChallengeMethod{ AllowedCodeChallengeMethods: []oauth2.CodeChallengeMethod{
oauth2.CodeChallengeS256, oauth2.CodeChallengeS256,
}, },
DefaultCodeChallengeMethod: oauth2.CodeChallengeS256,
}, },
manager, manager,
) )

25
vendor/code.superseriousbusiness.org/oauth2/v4/server/config.go generated vendored
View file

@ -9,12 +9,27 @@ import (
// Config configuration parameters // Config configuration parameters
type Config struct { type Config struct {
TokenType string // token type // token type
AllowGetAccessRequest bool // to allow GET requests for the token TokenType string
AllowedResponseTypes []oauth2.ResponseType // allow the authorization type
AllowedGrantTypes []oauth2.GrantType // allow the grant type // to allow GET requests for the token
AllowGetAccessRequest bool
// allow the authorization type
AllowedResponseTypes []oauth2.ResponseType
// allow the grant type
AllowedGrantTypes []oauth2.GrantType
// Allowed values for "code_challenge_method".
AllowedCodeChallengeMethods []oauth2.CodeChallengeMethod AllowedCodeChallengeMethods []oauth2.CodeChallengeMethod
ForcePKCE bool
// Default to fall back to
// if "code_challenge_method"
// was not set in the request.
DefaultCodeChallengeMethod oauth2.CodeChallengeMethod
ForcePKCE bool
} }
// NewConfig create to configuration instance // NewConfig create to configuration instance

6
vendor/code.superseriousbusiness.org/oauth2/v4/server/server.go generated vendored
View file

@ -1,6 +1,7 @@
package server package server
import ( import (
"cmp"
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
@ -176,7 +177,10 @@ func (s *Server) ValidationAuthorizeRequest(r *http.Request) (*AuthorizeRequest,
ccm := oauth2.CodeChallengeMethod(r.FormValue("code_challenge_method")) ccm := oauth2.CodeChallengeMethod(r.FormValue("code_challenge_method"))
// set default // set default
if ccm == "" { if ccm == "" {
ccm = oauth2.CodeChallengePlain ccm = cmp.Or(
s.Config.DefaultCodeChallengeMethod,
oauth2.CodeChallengePlain,
)
} }
if ccm.String() != "" && !s.CheckCodeChallengeMethod(ccm) { if ccm.String() != "" && !s.CheckCodeChallengeMethod(ccm) {
return nil, errors.ErrUnsupportedCodeChallengeMethod return nil, errors.ErrUnsupportedCodeChallengeMethod

2
vendor/modules.txt vendored
View file

@ -207,7 +207,7 @@ code.superseriousbusiness.org/go-png-image-structure/v2
# code.superseriousbusiness.org/httpsig v1.4.0 # code.superseriousbusiness.org/httpsig v1.4.0
## explicit; go 1.21 ## explicit; go 1.21
code.superseriousbusiness.org/httpsig code.superseriousbusiness.org/httpsig
# code.superseriousbusiness.org/oauth2/v4 v4.8.0 # code.superseriousbusiness.org/oauth2/v4 v4.9.0
## explicit; go 1.23.0 ## explicit; go 1.23.0
code.superseriousbusiness.org/oauth2/v4 code.superseriousbusiness.org/oauth2/v4
code.superseriousbusiness.org/oauth2/v4/errors code.superseriousbusiness.org/oauth2/v4/errors