Backport #37706 This PR tightens several OAuth validation paths related to PKCE handling, redirect URI normalization, and refresh-token replay safety. What it changes: - switch redirect URI comparison to ASCII-only normalization for exact-match checks, avoiding Unicode case-folding surprises - harden PKCE verification by: - allowing PKCE omission only when no challenge data was stored - rejecting exchanges with a missing verifier when PKCE was used - rejecting malformed challenge state where a challenge exists without a valid method - comparing derived challenges with constant-time string matching - make refresh-token invalidation counter updates conditional on the previously observed counter value, so stale refresh state cannot be accepted after the grant changes Why: These checks close gaps where: - redirect URI comparisons could rely on broader Unicode normalization than intended - malformed or incomplete PKCE state could be treated too permissively - concurrent or stale refresh-token use could advance the same grant more than once Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com>
This commit is contained in:
+80
-25
@@ -12,6 +12,7 @@ import (
|
||||
"code.gitea.io/gitea/modules/timeutil"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"golang.org/x/oauth2"
|
||||
)
|
||||
|
||||
func TestOAuth2AuthorizationCodeValidity(t *testing.T) {
|
||||
@@ -104,6 +105,47 @@ func TestOAuth2Application_ContainsRedirect_Slash(t *testing.T) {
|
||||
assert.False(t, app.ContainsRedirectURI("http://127.0.0.1/other"))
|
||||
}
|
||||
|
||||
func TestOAuth2Application_ContainsRedirectURI_ASCIIOnlyNormalization(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name string
|
||||
registered []string
|
||||
redirectURI string
|
||||
allowed bool
|
||||
}{
|
||||
{
|
||||
name: "exact-match",
|
||||
registered: []string{"https://signin.example.test/callback"},
|
||||
redirectURI: "https://signin.example.test/callback",
|
||||
allowed: true,
|
||||
},
|
||||
{
|
||||
name: "ascii-case-insensitive",
|
||||
registered: []string{"https://signin.example.test/callback"},
|
||||
redirectURI: "https://signIN.example.test/callback",
|
||||
allowed: true,
|
||||
},
|
||||
{
|
||||
name: "non-ascii-not-folded",
|
||||
registered: []string{"https://signin.example.test/callback"},
|
||||
redirectURI: "https://signİn.example.test/callback",
|
||||
allowed: false,
|
||||
},
|
||||
{
|
||||
name: "loopback-strips-port",
|
||||
registered: []string{"http://127.0.0.1/callback"},
|
||||
redirectURI: "http://127.0.0.1:12345/callback",
|
||||
allowed: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
app := &auth_model.OAuth2Application{RedirectURIs: tc.registered}
|
||||
assert.Equal(t, tc.allowed, app.ContainsRedirectURI(tc.redirectURI))
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestOAuth2Application_ValidateClientSecret(t *testing.T) {
|
||||
assert.NoError(t, unittest.PrepareTestDatabase())
|
||||
app := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{ID: 1})
|
||||
@@ -181,6 +223,16 @@ func TestOAuth2Grant_IncreaseCounter(t *testing.T) {
|
||||
unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Grant{ID: 1, Counter: 2})
|
||||
}
|
||||
|
||||
func TestOAuth2Grant_IncreaseCounterRejectsStaleCounter(t *testing.T) {
|
||||
assert.NoError(t, unittest.PrepareTestDatabase())
|
||||
grant := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Grant{ID: 1, Counter: 1})
|
||||
stale := *grant
|
||||
|
||||
assert.NoError(t, grant.IncreaseCounter(t.Context()))
|
||||
err := stale.IncreaseCounter(t.Context())
|
||||
assert.ErrorIs(t, err, auth_model.ErrOAuth2GrantStaleCounter)
|
||||
}
|
||||
|
||||
func TestOAuth2Grant_ScopeContains(t *testing.T) {
|
||||
assert.NoError(t, unittest.PrepareTestDatabase())
|
||||
grant := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Grant{ID: 1, Scope: "openid profile"})
|
||||
@@ -238,35 +290,38 @@ func TestGetOAuth2AuthorizationByCode(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestOAuth2AuthorizationCode_ValidateCodeChallenge(t *testing.T) {
|
||||
// test plain
|
||||
code := &auth_model.OAuth2AuthorizationCode{
|
||||
CodeChallengeMethod: "plain",
|
||||
CodeChallenge: "test123",
|
||||
}
|
||||
assert.True(t, code.ValidateCodeChallenge("test123"))
|
||||
assert.False(t, code.ValidateCodeChallenge("ierwgjoergjio"))
|
||||
s256Verifier := "s256-verifier"
|
||||
s256Challenge := oauth2.S256ChallengeFromVerifier(s256Verifier)
|
||||
missingVerifierChallenge := oauth2.S256ChallengeFromVerifier("verifier-not-supplied")
|
||||
|
||||
// test S256
|
||||
code = &auth_model.OAuth2AuthorizationCode{
|
||||
CodeChallengeMethod: "S256",
|
||||
CodeChallenge: "CjvyTLSdR47G5zYenDA-eDWW4lRrO8yvjcWwbD_deOg",
|
||||
testCases := []struct {
|
||||
name string
|
||||
method string
|
||||
challenge string
|
||||
verifier string
|
||||
valid bool
|
||||
}{
|
||||
{"plain-success", "plain", "plain-secret", "plain-secret", true},
|
||||
{"plain-failure", "plain", "plain-secret", "ierwgjoergjio", false},
|
||||
{"s256-success", "S256", s256Challenge, s256Verifier, true},
|
||||
{"s256-failure", "S256", s256Challenge, "wiogjerogorewngoenrgoiuenorg", false},
|
||||
{"unsupported-method", "monkey", "foiwgjioriogeiogjerger", "foiwgjioriogeiogjerger", false},
|
||||
{"no-pkce-configured", "", "", "", true},
|
||||
{"s256-missing-verifier", "S256", missingVerifierChallenge, "", false},
|
||||
{"plain-missing-verifier", "plain", "plain-secret", "", false},
|
||||
{"missing-method-with-challenge", "", "foierjiogerogerg", "", false},
|
||||
{"missing-method-rejects-even-matching-verifier", "", "foierjiogerogerg", "foierjiogerogerg", false},
|
||||
}
|
||||
assert.True(t, code.ValidateCodeChallenge("N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt"))
|
||||
assert.False(t, code.ValidateCodeChallenge("wiogjerogorewngoenrgoiuenorg"))
|
||||
|
||||
// test unknown
|
||||
code = &auth_model.OAuth2AuthorizationCode{
|
||||
CodeChallengeMethod: "monkey",
|
||||
CodeChallenge: "foiwgjioriogeiogjerger",
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
code := &auth_model.OAuth2AuthorizationCode{
|
||||
CodeChallengeMethod: tc.method,
|
||||
CodeChallenge: tc.challenge,
|
||||
}
|
||||
assert.Equal(t, tc.valid, code.ValidateCodeChallenge(tc.verifier))
|
||||
})
|
||||
}
|
||||
assert.False(t, code.ValidateCodeChallenge("foiwgjioriogeiogjerger"))
|
||||
|
||||
// test no code challenge
|
||||
code = &auth_model.OAuth2AuthorizationCode{
|
||||
CodeChallengeMethod: "",
|
||||
CodeChallenge: "foierjiogerogerg",
|
||||
}
|
||||
assert.True(t, code.ValidateCodeChallenge(""))
|
||||
}
|
||||
|
||||
func TestOAuth2AuthorizationCode_GenerateRedirectURI(t *testing.T) {
|
||||
|
||||
Reference in New Issue
Block a user