Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-04-03 14:43:03 +02:00
Code Issues Activity

Merge 076844c47d74789e87314ab3b8af5a9703c12c35 into 30c07c20e94551141cc1873ab14bdd4c104bba94

Browse Source
This commit is contained in:
eason 2026-04-03 07:48:35 +00:00 committed by GitHub
commit c335394327
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
models/auth/oauth2.go
View File

@ -537,6 +537,16 @@ func (grant *OAuth2Grant) SetNonce(ctx context.Context, nonce string) error {
return nil
}
// SetScope updates the scope of a grant
func (grant *OAuth2Grant) SetScope(ctx context.Context, scope string) error {
grant.Scope = scope
_, err := db.GetEngine(ctx).ID(grant.ID).Cols("scope").Update(grant)
if err != nil {
return err
}
return nil
}
// GetOAuth2GrantByID returns the grant with the given ID
func GetOAuth2GrantByID(ctx context.Context, id int64) (grant *OAuth2Grant, err error) {
grant = new(OAuth2Grant)

22
routers/web/auth/oauth2_provider.go
View File

@ -286,6 +286,14 @@ func AuthorizeOAuth(ctx *context.Context) {
// Redirect if user already granted access and the application is confidential or trusted otherwise
// I.e. always require authorization for untrusted public clients as recommended by RFC 6749 Section 10.2
if (app.ConfidentialClient || app.SkipSecondaryAuthorization) && grant != nil {
// Update the grant scope if the requested scope has changed, so that
// confidential/trusted clients always get a token with the current scope.
if grant.Scope != form.Scope {
if err := grant.SetScope(ctx, form.Scope); err != nil {
handleServerError(ctx, form.State, form.RedirectURI)
return
}
}
code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)
if err != nil {
handleServerError(ctx, form.State, form.RedirectURI)
@ -388,12 +396,14 @@ func GrantApplicationOAuth(ctx *context.Context) {
return
}
} else if grant.Scope != form.Scope {
handleAuthorizeError(ctx, AuthorizeError{
State: form.State,
ErrorDescription: "a grant exists with different scope",
ErrorCode: ErrorCodeServerError,
}, form.RedirectURI)
return
// The user has re-authorized with a different scope. Update the
// existing grant to match the newly consented scope. This avoids
// an infinite redirect loop when the OAuth2 client changes its
// requested scope after the initial authorization.
if err := grant.SetScope(ctx, form.Scope); err != nil {
handleServerError(ctx, form.State, form.RedirectURI)
return
}
}
if len(form.Nonce) > 0 {