diff options
| author |  Emelia <thisismissem@noreply.codeberg.org> | 2025-06-03 10:04:15 +0200 |
|---|---|---|
| committer |  tobi <kipvandenbos@noreply.codeberg.org> | 2025-06-03 10:04:15 +0200 |
| commit | be6d80c02093842cbfe53e2d44867c255962ea95 (patch) | |
| tree | ab5d8c353a721f12d917788cc5a7a6be32b3d494 | |
| parent | [bugfix] Fix nil ptr for audio attachments with no preview in web (#4227) (diff) | |
| download | gotosocial-be6d80c02093842cbfe53e2d44867c255962ea95.tar.xz | |
[chore] Remove insecure PKCE Code Challenge Method for plain (#4232)
# Description
As I noted in https://codeberg.org/superseriousbusiness/gotosocial/pulls/2224 the PKCE code challenge method of "plain" is insecure and its usage is not recommend. In Mastodon and Hollo, we do not support it, as indicated by the `code_challenge_methods_supported` value here: https://mastodon.social/.well-known/oauth-authorization-server
This pull request removes the support for PKCE code challenge method "plain".
## Checklist
Please put an x inside each checkbox to indicate that you've read and followed it: `[ ]` -> `[x]`
If this is a documentation change, only the first checkbox must be filled (you can delete the others if you want).
- [x] I/we have read the [GoToSocial contribution guidelines](https://codeberg.org/superseriousbusiness/gotosocial/src/branch/main/CONTRIBUTING.md).
- [ ] I/we have discussed the proposed changes already, either in an issue on the repository, or in the Matrix chat.
- [x] I/we have not leveraged AI to create the proposed changes.
- [x] I/we have performed a self-review of added code.
- [x] I/we have written code that is legible and maintainable by others.
- [ ] I/we have commented the added code, particularly in hard-to-understand areas.
- [ ] I/we have made any necessary changes to documentation.
- [ ] I/we have added tests that cover new code.
- [x] I/we have run tests and they pass locally with the changes.
- [ ] I/we have run `go fmt ./...` and `golangci-lint run`.
I do get test failures locally, due to file sizes for media being different, but that's definitely unrelated to this change, as far as I can tell there is zero test coverage this part of the GTS code.
Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4232
Co-authored-by: Emelia <thisismissem@noreply.codeberg.org>
Co-committed-by: Emelia <thisismissem@noreply.codeberg.org>
| -rw-r--r-- | internal/oauth/server.go | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/internal/oauth/server.go b/internal/oauth/server.go index 05e8cad44..05872318a 100644 --- a/internal/oauth/server.go +++ b/internal/oauth/server.go @@ -126,7 +126,6 @@ func New( oauth2.ClientCredentials, }, AllowedCodeChallengeMethods: []oauth2.CodeChallengeMethod{ - oauth2.CodeChallengePlain, oauth2.CodeChallengeS256, }, }, |