Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: improve abuse message, don't log request #766

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: improve abuse message, don't log request #766

wants to merge 1 commit into from

Conversation

hf
Copy link
Contributor

@hf hf commented Oct 21, 2022

Logging the request may leak some dangerous information such as the Authorization header. Adds clarification about the common cause for this error.

@hf hf requested a review from a team as a code owner October 21, 2022 15:51
kangmingtay
kangmingtay requested changes Oct 25, 2022
View reviewed changes
api/token.go
@@ -319,7 +319,7 @@ func (a *API) RefreshTokenGrant(ctx context.Context, w http.ResponseWriter, r *h
return internalServerError(err.Error())
}
}
return oauthError("invalid_grant", "Invalid Refresh Token").WithInternalMessage("Possible abuse attempt: %v", r)
return oauthError("invalid_grant", "Invalid Refresh Token").WithInternalMessage("Possible abuse attempt with refresh tokens. Often this is caused by a buggy implementation of Server-Side Rendering.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return oauthError("invalid_grant", "Invalid Refresh Token").WithInternalMessage("Possible abuse attempt with refresh tokens. Often this is caused by a buggy implementation of Server-Side Rendering.")
return oauthError("invalid_grant", "Invalid Refresh Token").WithInternalMessage("Possible abuse attempt, refresh token was reused: %v", token)

api/token.go
@@ -422,7 +422,7 @@ func (a *API) IdTokenGrant(ctx context.Context, w http.ResponseWriter, r *http.R
// verify nonce to mitigate replay attacks
hash := fmt.Sprintf("%x", sha256.Sum256([]byte(params.Nonce)))
if hash != hashedNonce.(string) {
return oauthError("invalid nonce", "").WithInternalMessage("Possible abuse attempt: %v", r)
return oauthError("invalid nonce", "").WithInternalMessage("Possible abuse attempt with refresh tokens. Often this is caused by a buggy implementation of Server-Side Rendering.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return oauthError("invalid nonce", "").WithInternalMessage("Possible abuse attempt with refresh tokens. Often this is caused by a buggy implementation of Server-Side Rendering.")
return oauthError("invalid nonce", "").WithInternalMessage("Possible abuse attempt, nonce does not match the nonce in the id token.")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kangmingtay kangmingtay kangmingtay requested changes

@J0 J0 J0 approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hf @J0 @kangmingtay