use existing oauth grant for public client (#31015) (#31041)

Backport #31015 by @denyskon

Do not try to create a new authorization grant when one exists already,
thus preventing a DB-related authorization issue.

Fix https://github.com/go-gitea/gitea/pull/30790#issuecomment-2118812426

Co-authored-by: Denys Konovalov <kontakt@denyskon.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
Giteabot 2024-05-22 01:33:00 +08:00 committed by GitHub
parent 33d4d32096
commit ec4fa231c7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -544,7 +544,13 @@ func GrantApplicationOAuth(ctx *context.Context) {
ctx.ServerError("GetOAuth2ApplicationByClientID", err) ctx.ServerError("GetOAuth2ApplicationByClientID", err)
return return
} }
grant, err := app.CreateGrant(ctx, ctx.Doer.ID, form.Scope) grant, err := app.GetGrantByUserID(ctx, ctx.Doer.ID)
if err != nil {
handleServerError(ctx, form.State, form.RedirectURI)
return
}
if grant == nil {
grant, err = app.CreateGrant(ctx, ctx.Doer.ID, form.Scope)
if err != nil { if err != nil {
handleAuthorizeError(ctx, AuthorizeError{ handleAuthorizeError(ctx, AuthorizeError{
State: form.State, State: form.State,
@ -553,6 +559,15 @@ func GrantApplicationOAuth(ctx *context.Context) {
}, form.RedirectURI) }, form.RedirectURI)
return return
} }
} else if grant.Scope != form.Scope {
handleAuthorizeError(ctx, AuthorizeError{
State: form.State,
ErrorDescription: "a grant exists with different scope",
ErrorCode: ErrorCodeServerError,
}, form.RedirectURI)
return
}
if len(form.Nonce) > 0 { if len(form.Nonce) > 0 {
err := grant.SetNonce(ctx, form.Nonce) err := grant.SetNonce(ctx, form.Nonce)
if err != nil { if err != nil {