mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-11-04 08:21:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

Revert "Prevent automatic OAuth grants for public clients (#30790) (#30836)"

Browse source 
This reverts commit 248a5b8d7a.

This commit introduces a regression descrdibed at

https://github.com/go-gitea/gitea/pull/30790#issuecomment-2118812426

There is a commit to try and fix it, but it is similarly
untested. Let's not accumulate regressions and wait until it is either
field tested by humans in Gitea or a test is written.

https://github.com/go-gitea/gitea/pull/31015/files
This commit is contained in:
Earl Warren 2024-05-22 16:37:00 +02:00
commit 6771312133
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
1 changed files with 2 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

5
routers/web/auth/oauth.go
View file

@ -469,9 +469,8 @@ func AuthorizeOAuth(ctx *context.Context) {
return return
} }
// Redirect if user already granted access and the application is confidential. // Redirect if user already granted access
// I.e. always require authorization for public clients as recommended by RFC 6749 Section 10.2 if grant != nil {
if app.ConfidentialClient && grant != nil {
code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod) code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)
if err != nil { if err != nil {
handleServerError(ctx, form.State, form.RedirectURI) handleServerError(ctx, form.State, form.RedirectURI)