fix(coderd): harden OAuth2 provider security by ThomasK33 · Pull Request #22194 · coder/coder
ThomasK33
changed the title
fix(oauth2): add CSRF protection to /oauth2/authorize endpoint
fix(oauth2): harden OAuth2 provider — CSRF, PKCE, state, redirect_uri, CSP
ThomasK33
changed the title
fix(oauth2): harden OAuth2 provider — CSRF, PKCE, state, redirect_uri, CSP
fix(oauth2): improve OAuth2 provider's security with CSRF, PKCE, state, redirect_uri, and CSP
ThomasK33
changed the title
fix(oauth2): improve OAuth2 provider's security with CSRF, PKCE, state, redirect_uri, and CSP
fix(coderd): harden OAuth2 provider security
…ct URI matching Update all OAuth2 tests to comply with the new OAuth 2.1 security requirements where state, code_challenge, and code_verifier are now mandatory parameters. Changes: - coderd/oauth2_test.go: Add generatePKCE helper; update authorizationFlow to return verifier; update all 4 callers and 3 manual flows; update customTokenExchange to accept codeVerifier; update NestedPath test to expect authError (exact redirect URI matching) - coderd/oauth2provider/oauth2providertest/oauth2_test.go: Rename TestOAuth2WithoutPKCE to TestOAuth2WithoutPKCEIsRejected (expects 400); add PKCE to ClientSecretBasic and ClientSecretBasicInvalidSecret tests - coderd/mcp/mcp_e2e_test.go: Add mcpGeneratePKCE helper; add PKCE to static and dynamic client auth flows and token exchanges - coderd/database/dbgen/dbgen.go: Add missing RedirectUri field to OAuth2ProviderAppCode seed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters