Merge pull request #59079 from nextcloud/fix/do-not-store-auth-code

come-nc · web-flow · commit 69db28c7ec93 · 2026-03-23T10:31:51.000+01:00
fix(oauth2): Do not store the code in throttle metadata
diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php
@@ -93,7 +93,7 @@ public function getToken(
 			$response = new JSONResponse([
 				'error' => 'invalid_request',
 			], Http::STATUS_BAD_REQUEST);
-			$response->throttle(['invalid_request' => 'token not found', 'code' => $code]);
+			$response->throttle(['invalid_request' => 'token not found']);
 			return $response;
 		}
 
diff --git a/apps/oauth2/tests/Controller/OauthApiControllerTest.php b/apps/oauth2/tests/Controller/OauthApiControllerTest.php
@@ -98,7 +98,7 @@ public function testGetTokenInvalidCode(): void {
 		$expected = new JSONResponse([
 			'error' => 'invalid_request',
 		], Http::STATUS_BAD_REQUEST);
-		$expected->throttle(['invalid_request' => 'token not found', 'code' => 'invalidcode']);
+		$expected->throttle(['invalid_request' => 'token not found']);
 
 		$this->accessTokenMapper->method('getByCode')
 			->with('invalidcode')
@@ -194,7 +194,7 @@ public function testRefreshTokenInvalidRefreshToken(): void {
 		$expected = new JSONResponse([
 			'error' => 'invalid_request',
 		], Http::STATUS_BAD_REQUEST);
-		$expected->throttle(['invalid_request' => 'token not found', 'code' => 'invalidrefresh']);
+		$expected->throttle(['invalid_request' => 'token not found']);
 
 		$this->accessTokenMapper->method('getByCode')
 			->with('invalidrefresh')

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ public function getToken(`
`93`	`93`	`$response = new JSONResponse([`
`94`	`94`	`'error' => 'invalid_request',`
`95`	`95`	`], Http::STATUS_BAD_REQUEST);`
`96`		`- $response->throttle(['invalid_request' => 'token not found', 'code' => $code]);`
	`96`	`+ $response->throttle(['invalid_request' => 'token not found']);`
`97`	`97`	`return $response;`
`98`	`98`	`}`
`99`	`99`