dandri/matrix-authentication-service
1
0
Fork 0
mirror of https://github.com/element-hq/matrix-authentication-service.git synced 2026-05-13 21:33:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make sure to consume the device grant to avoid replays

Browse Source
This commit is contained in:
Quentin Gliech
2024-12-11 13:53:40 +01:00
parent 1dbed14113
commit dcf739cf6c
1 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
crates/handlers/src/oauth2/token.rs
+18 -1
View File
@@ -780,7 +780,11 @@ async fn device_code_grant(
// Start the session
let mut session = repo
.oauth2_session()
.add_from_browser_session(rng, clock, client, &browser_session, grant.scope)
.add_from_browser_session(rng, clock, client, &browser_session, grant.scope.clone())
.await?;
repo.oauth2_device_code_grant()
.exchange(clock, grant, &session)
.await?;
// XXX: should we get the user agent from the device code grant instead?
@@ -1605,6 +1609,19 @@ mod tests {
// We asked for the openid scope, so we should have an ID token
assert!(response.id_token.is_some());
// Calling it again should fail
let request =
Request::post(mas_router::OAuth2TokenEndpoint::PATH).form(serde_json::json!({
"grant_type": "urn:ietf:params:oauth:grant-type:device_code",
"device_code": grant.device_code,
"client_id": client_id,
}));
let response = state.request(request).await;
response.assert_status(StatusCode::BAD_REQUEST);
let ClientError { error, .. } = response.json();
assert_eq!(error, ClientErrorCode::InvalidGrant);
// Do another grant and make it expire
let request = Request::post(mas_router::OAuth2DeviceAuthorizationEndpoint::PATH).form(
serde_json::json!({