CalvinBackup/phishingclub
1
0
Fork 0
mirror of https://github.com/phishingclub/phishingclub.git synced 2026-03-31 00:21:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix potential reuse of oauth on failure to mark as used

Browse Source 
Signed-off-by: Ronni Skansing <rskansing@gmail.com>
This commit is contained in:
Ronni Skansing
2026-02-28 01:34:12 +01:00
parent b7d440b183
commit 2fb7ff72f3
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
backend/service/oauthProvider.go
View File

@@ -479,11 +479,13 @@ func (o *OAuthProvider) ExchangeCodeForTokens(
return errs.Wrap(err)
}
// mark state token as used
// mark state token as used before exchanging the code — if this fails the token
// remains unused and could be replayed within the 10-minute expiry window, so
// we must abort rather than continue
stateID := oauthState.ID.MustGet()
if err := o.OAuthStateRepository.MarkAsUsed(ctx, stateID); err != nil {
o.Logger.Errorw("failed to mark state token as used", "error", err)
// continue anyway - token exchange is more important
o.Logger.Errorw("failed to mark state token as used, aborting token exchange to prevent replay", "error", err)
return errs.Wrap(err)
}
// get client secret