Merge pull request from GHSA-rw54-6826-c8j5

rhertogh · web-flow · commit 721ed974bc44 · 2023-12-16T18:09:48.000+03:00
* Oauth2 replay attack mitigation for PKCE * Oauth2 PKCE downgrate attack mitigation * Updated changelog for GHSA-rw54-6826-c8j5
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,8 @@ Yii Framework 2 authclient extension Change Log
 ------------------------
 
 - Bug #364: Use issuer claim from OpenID Configuration (radwouters)
-- Enh: #367: Throw more specific `ClientErrorResponseException` when the response code in `BaseOAuth::sendRequest()` is a 4xx (rhertogh)  
+- Enh #367: Throw more specific `ClientErrorResponseException` when the response code in `BaseOAuth::sendRequest()` is a 4xx (rhertogh)
+- Enh GHSA-rw54-6826-c8j5: Improved security for OAuth2 client by requiring an `authCodeVerifier` if PKCE is enabled and clearing it after usage (rhertogh)
 
 
 2.2.14 November 18, 2022
diff --git a/src/OAuth2.php b/src/OAuth2.php
@@ -131,7 +131,14 @@ public function fetchAccessToken($authCode, array $params = [])
         ];
 
         if ($this->enablePkce) {
-            $defaultParams['code_verifier'] = $this->getState('authCodeVerifier');
+            $authCodeVerifier = $this->getState('authCodeVerifier');
+            if (empty($authCodeVerifier)) {
+                // Prevent PKCE Downgrade Attack
+                // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-pkce-downgrade-attack
+                throw new HttpException(409, 'Invalid auth code verifier.');
+            }
+            $defaultParams['code_verifier'] = $authCodeVerifier;
+            $this->removeState('authCodeVerifier');
         }
 
         $request = $this->createRequest()
