Fix: Don't re-use authorization codes (!173) · Merge requests · Jamie Tanna / www-api

Jamie Tanna requested to merge defect/authz-code into develop Aug 01, 2020

As noted in #243 (closed), I misimplemented the IndieAuth spec, ending up performing authorization code verification and authorization code grant, which is not allowed as the authorization code should be single use.

When IndieAuth.com fixed this, www-editor broke.

To fix this, we need to retrieve the me from the response from the authorization code grant, which results in a few internal tweaks:

we need to map the state to the me of a given authorization request
we need to return the me from the token endpoint request, which requires mapping the full TokenEndpointResponse, which for now, only includes access_token and me
we need to provide a means to determine the me for a given state value

Closes #243 (closed).

Fix: Don't re-use authorization codes

Merge request reports