From 75a4462fd15fd51bfab90c4dfe0aa690ca416110 Mon Sep 17 00:00:00 2001
From: Abdullah Atta <abdullahatta@streetwriters.co>
Date: Tue, 14 Oct 2025 21:50:57 +0500
Subject: [PATCH] identity: add client id checks in grant validators

---
 .../Validation/MFAGrantValidator.cs                 |  4 ++--
 .../Validation/MFAPasswordGrantValidator.cs         | 13 +++++--------
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/Streetwriters.Identity/Validation/MFAGrantValidator.cs b/Streetwriters.Identity/Validation/MFAGrantValidator.cs
index 888b6b9..0f71bd7 100644
--- a/Streetwriters.Identity/Validation/MFAGrantValidator.cs
+++ b/Streetwriters.Identity/Validation/MFAGrantValidator.cs
@@ -75,8 +75,8 @@ namespace Streetwriters.Identity.Validation
             var tokenValidationResult = await TokenValidator.ValidateAccessTokenAsync(tokenResult.Token, Config.MFA_GRANT_TYPE_SCOPE);
             if (tokenValidationResult.IsError) return;
 
-            var client = Clients.FindClientById(tokenValidationResult.Claims.GetClaimValue("client_id"));
-            if (client == null)
+            var client = Clients.FindClientById(context.Request.ClientId);
+            if (client == null || context.Request.ClientId != tokenValidationResult.Claims.GetClaimValue("client_id"))
             {
                 context.Result = new GrantValidationResult(TokenRequestErrors.InvalidClient);
                 return;
diff --git a/Streetwriters.Identity/Validation/MFAPasswordGrantValidator.cs b/Streetwriters.Identity/Validation/MFAPasswordGrantValidator.cs
index 2b12fc6..391c457 100644
--- a/Streetwriters.Identity/Validation/MFAPasswordGrantValidator.cs
+++ b/Streetwriters.Identity/Validation/MFAPasswordGrantValidator.cs
@@ -63,13 +63,11 @@ namespace Streetwriters.Identity.Validation
             var tokenResult = BearerTokenValidator.ValidateAuthorizationHeader(httpContext);
             if (!tokenResult.TokenFound) return;
 
-
             var tokenValidationResult = await TokenValidator.ValidateAccessTokenAsync(tokenResult.Token, Config.MFA_PASSWORD_GRANT_TYPE_SCOPE);
             if (tokenValidationResult.IsError) return;
 
-
-            var client = Clients.FindClientById(tokenValidationResult.Claims.GetClaimValue("client_id"));
-            if (client == null)
+            var client = Clients.FindClientById(context.Request.ClientId);
+            if (client == null || context.Request.ClientId != tokenValidationResult.Claims.GetClaimValue("client_id"))
             {
                 context.Result = new GrantValidationResult(TokenRequestErrors.InvalidClient);
                 return;
@@ -80,16 +78,15 @@ namespace Streetwriters.Identity.Validation
 
             if (string.IsNullOrEmpty(userId)) return;
 
+            var user = await UserManager.FindByIdAsync(userId);
+            if (user == null) return;
+
             context.Result.Error = "unauthorized";
             context.Result.ErrorDescription = "Password is incorrect.";
 
             if (string.IsNullOrEmpty(password)) return;
 
-            var user = await UserManager.FindByIdAsync(userId);
-            if (user == null) return;
-
             var result = await SignInManager.CheckPasswordSignInAsync(user, password, true);
-
             if (result.IsLockedOut)
             {
                 var timeLeft = user.LockoutEnd - DateTimeOffset.Now;