mirror of
https://github.com/go-gitea/gitea.git
synced 2026-05-19 07:52:01 +00:00
86cc3e8783
Backport #37704 This PR hardens OAuth token exchange validation by binding exchanged credentials to the client and redirect URI that originally obtained them. What it changes: - reject refresh token exchanges when the refresh token belongs to a different OAuth application - reject authorization code exchanges when the `redirect_uri` in the token request differs from the `redirect_uri` stored with the authorization code - add integration coverage for: - authorization code exchange with a mismatched redirect URI - refresh token reuse across two different dynamically created OAuth applications Why: OAuth authorization codes and refresh tokens must remain bound to the client context that originally received them. Without those checks: - a valid authorization code can be redeemed against a different registered redirect URI of the same client - a refresh token can be replayed by a different OAuth client --------- Co-authored-by: Nicolas <bircni@icloud.com>