use public field to block confidential grants

jarlah · jarlah · commit be5bcc1014b6 · 2023-01-20T09:40:21.000+01:00
diff --git a/manage/manager.go b/manage/manager.go
@@ -287,7 +287,7 @@ func (m *Manager) GenerateAccessToken(ctx context.Context, gt oauth2.GrantType,
 		if !cliPass.VerifyPassword(tgr.ClientSecret) {
 			return nil, errors.ErrInvalidClient
 		}
-	} else if cli.IsPublic() == false && len(cli.GetSecret()) > 0 && tgr.ClientSecret != cli.GetSecret() {
+	} else if len(cli.GetSecret()) > 0 && tgr.ClientSecret != cli.GetSecret() {
 		return nil, errors.ErrInvalidClient
 	}
 	if tgr.RedirectURI != "" {
@@ -296,6 +296,10 @@ func (m *Manager) GenerateAccessToken(ctx context.Context, gt oauth2.GrantType,
 		}
 	}
 
+	if gt == oauth2.ClientCredentials && cli.IsPublic() == true {
+		return nil, errors.ErrInvalidClient
+	}
+
 	if gt == oauth2.AuthorizationCode {
 		ti, err := m.getAndDelAuthorizationCode(ctx, tgr)
 		if err != nil {
diff --git a/server/server_test.go b/server/server_test.go
@@ -38,9 +38,15 @@ func init() {
 
 func clientStore(domain string, public bool) oauth2.ClientStore {
 	clientStore := store.NewClientStore()
+	var secret string
+	if public {
+		secret = ""
+	} else {
+		secret = clientSecret
+	}
 	clientStore.Set(clientID, &models.Client{
 		ID:     clientID,
-		Secret: clientSecret,
+		Secret: secret,
 		Domain: domain,
 		Public: public,
 	})

Original file line number	Diff line number	Diff line change
`@@ -287,7 +287,7 @@ func (m *Manager) GenerateAccessToken(ctx context.Context, gt oauth2.GrantType,`
`287`	`287`	`if !cliPass.VerifyPassword(tgr.ClientSecret) {`
`288`	`288`	`return nil, errors.ErrInvalidClient`
`289`	`289`	`}`
`290`		`- } else if cli.IsPublic() == false && len(cli.GetSecret()) > 0 && tgr.ClientSecret != cli.GetSecret() {`
	`290`	`+ } else if len(cli.GetSecret()) > 0 && tgr.ClientSecret != cli.GetSecret() {`
`291`	`291`	`return nil, errors.ErrInvalidClient`
`292`	`292`	`}`
`293`	`293`	`if tgr.RedirectURI != "" {`
`@@ -296,6 +296,10 @@ func (m *Manager) GenerateAccessToken(ctx context.Context, gt oauth2.GrantType,`
`296`	`296`	`}`
`297`	`297`	`}`
`298`	`298`
	`299`	`+ if gt == oauth2.ClientCredentials && cli.IsPublic() == true {`
	`300`	`+ return nil, errors.ErrInvalidClient`
	`301`	`+ }`
	`302`	`+`
`299`	`303`	`if gt == oauth2.AuthorizationCode {`
`300`	`304`	`ti, err := m.getAndDelAuthorizationCode(ctx, tgr)`
`301`	`305`	`if err != nil {`