mirror of
1
Fork 0
forgejo/routers
Archer 02474498b1
Prevent automatic OAuth grants for public clients (#30790)
This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 5c542ca94caa3587329167cfe9e949357ca15cf1)
(cherry picked from commit 1b088fade6)
2024-06-06 13:58:50 +02:00
..
api Check the token's owner and repository when registering a runner (#30406) (#30412) 2024-04-15 09:35:37 +02:00
common Fix incorrect cookie path for AppSubURL (#29534) (#29552) 2024-03-10 18:45:59 +07:00
install Fix validity of the FROM email address not being checked (#29347) (#29360) 2024-03-06 12:20:42 +08:00
private hooks: Harden when we accept push options that change repo settings 2024-04-18 11:53:30 +02:00
utils Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
web Prevent automatic OAuth grants for public clients (#30790) 2024-06-06 13:58:50 +02:00
init.go [API] Forgejo API /api/forgejo/v1 2023-11-13 12:33:48 +01:00