fixed the bug to compare client secrets when refreshing token

rp8 · rp8 · commit d34e84149e1a · 2021-07-05T13:35:27.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -23,6 +23,8 @@ _testmain.go
 *.test
 *.prof
 
+coverage.txt
+
 # OSX
 *.DS_Store
 *.db
diff --git a/manage/manager.go b/manage/manager.go
@@ -363,6 +363,10 @@ func (m *Manager) RefreshAccessToken(ctx context.Context, tgr *oauth2.TokenGener
 	cli, err := m.GetClient(ctx, tgr.ClientID)
 	if err != nil {
 		return nil, err
+	} else if cliPass, ok := cli.(oauth2.ClientPasswordVerifier); ok {
+		if !cliPass.VerifyPassword(tgr.ClientSecret) {
+			return nil, errors.ErrInvalidClient
+		}
 	} else if tgr.ClientSecret != cli.GetSecret() {
 		return nil, errors.ErrInvalidClient
 	}
diff --git a/server/server.go b/server/server.go
@@ -240,7 +240,7 @@ func (s *Server) GetAuthorizeToken(ctx context.Context, req *AuthorizeRequest) (
 		}
 	}
 
-	tgr := &oauth2.TokenGenerateRequest{
+	tgr = &oauth2.TokenGenerateRequest{
 		ClientID:            req.ClientID,
 		UserID:              req.UserID,
 		RedirectURI:         req.RedirectURI,

Original file line number	Diff line number	Diff line change
`@@ -240,7 +240,7 @@ func (s Server) GetAuthorizeToken(ctx context.Context, req AuthorizeRequest) (`
`240`	`240`	`}`
`241`	`241`	`}`
`242`	`242`
`243`		`- tgr := &oauth2.TokenGenerateRequest{`
	`243`	`+ tgr = &oauth2.TokenGenerateRequest{`
`244`	`244`	`ClientID: req.ClientID,`
`245`	`245`	`UserID: req.UserID,`
`246`	`246`	`RedirectURI: req.RedirectURI,`