Apply PKCE downgrade protection from upstream

cicnavi · pradtke · commit 776a26f7b83d · 2023-03-19T19:45:58.000-07:00
diff --git a/lib/Server/Grants/AuthCodeGrant.php b/lib/Server/Grants/AuthCodeGrant.php
@@ -352,10 +352,18 @@ public function respondToAccessTokenRequest(
             throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code', $e);
         }
 
+        $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
+
+        // If a code challenge isn't present but a code verifier is, reject the request to block PKCE downgrade attack
+        if ($this->shouldCheckPkce($client) && empty($authCodePayload->code_challenge) && $codeVerifier !== null) {
+            throw OAuthServerException::invalidRequest(
+                'code_challenge',
+                'code_verifier received when no code_challenge is present'
+            );
+        }
+
         // Validate code challenge
         if (!empty($authCodePayload->code_challenge)) {
-            $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
-
             if ($codeVerifier === null) {
                 throw OAuthServerException::invalidRequest('code_verifier');
             }
