go-gitea · wxiaoguang · Oct 7, 2022 · Oct 6, 2022 · Oct 6, 2022 · Oct 6, 2022
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
@@ -588,7 +588,8 @@ func OIDCKeys(ctx *context.Context) {
 // AccessTokenOAuth manages all access token requests by the client
 func AccessTokenOAuth(ctx *context.Context) {
  form := *web.GetForm(ctx).(*forms.AccessTokenForm)
- if form.ClientID == "" {
+ // if there is no ClientID or ClientSecret in the request body, fill these fields by the Authorization header and ensure the provided field matches the Authorization header
+ if form.ClientID == "" || form.ClientSecret == "" {
  authHeader := ctx.Req.Header.Get("Authorization")
  authContent := strings.SplitN(authHeader, " ", 2)
  if len(authContent) == 2 && authContent[0] == "Basic" {
@@ -608,7 +609,21 @@ func AccessTokenOAuth(ctx *context.Context) {
  })
  return
  }
+ if form.ClientID != "" && form.ClientID != pair[0] {
+ handleAccessTokenError(ctx, AccessTokenError{
+ ErrorCode: AccessTokenErrorCodeInvalidRequest,
+ ErrorDescription: "client_id in request body inconsistent with Authorization header",
+ })
+ return
+ }
  form.ClientID = pair[0]
+ if form.ClientSecret != "" && form.ClientSecret != pair[1] {
+ handleAccessTokenError(ctx, AccessTokenError{
+ ErrorCode: AccessTokenErrorCodeInvalidRequest,
+ ErrorDescription: "client_secret in request body inconsistent with Authorization header",
+ })
+ return
+ }
  form.ClientSecret = pair[1]
  }
  }
@@ -686,9 +701,13 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s
  return
  }
  if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
+ errorDescription := "invalid client secret"
+ if form.ClientSecret == "" {
+ errorDescription = "invalid empty client secret"
+ }
  handleAccessTokenError(ctx, AccessTokenError{
  ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
- ErrorDescription: "invalid client secret",
+ ErrorDescription: errorDescription,
  })
  return
  }