Skip to content

Fix: Don't re-use authorization codes

Jamie Tanna requested to merge defect/authz-code into develop

As noted in #243 (closed), I misimplemented the IndieAuth spec, ending up performing authorization code verification and authorization code grant, which is not allowed as the authorization code should be single use.

When fixed this, www-editor broke.

To fix this, we need to retrieve the me from the response from the authorization code grant, which results in a few internal tweaks:

  • we need to map the state to the me of a given authorization request
  • we need to return the me from the token endpoint request, which requires mapping the full TokenEndpointResponse, which for now, only includes access_token and me
  • we need to provide a means to determine the me for a given state value

Closes #243 (closed).

Merge request reports