From 1f2b62d6191aeb22ef233a3f3f1d2a51ef494b2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Thu, 19 Mar 2026 14:25:14 +0100 Subject: [PATCH] fix(oauth2): Do not store the code in throttle metadata MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/oauth2/lib/Controller/OauthApiController.php | 2 +- apps/oauth2/tests/Controller/OauthApiControllerTest.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php index 9af15af22f491..069ab0659e911 100644 --- a/apps/oauth2/lib/Controller/OauthApiController.php +++ b/apps/oauth2/lib/Controller/OauthApiController.php @@ -93,7 +93,7 @@ public function getToken( $response = new JSONResponse([ 'error' => 'invalid_request', ], Http::STATUS_BAD_REQUEST); - $response->throttle(['invalid_request' => 'token not found', 'code' => $code]); + $response->throttle(['invalid_request' => 'token not found']); return $response; } diff --git a/apps/oauth2/tests/Controller/OauthApiControllerTest.php b/apps/oauth2/tests/Controller/OauthApiControllerTest.php index 8386ab9ad0e45..17875cabc5d7e 100644 --- a/apps/oauth2/tests/Controller/OauthApiControllerTest.php +++ b/apps/oauth2/tests/Controller/OauthApiControllerTest.php @@ -98,7 +98,7 @@ public function testGetTokenInvalidCode(): void { $expected = new JSONResponse([ 'error' => 'invalid_request', ], Http::STATUS_BAD_REQUEST); - $expected->throttle(['invalid_request' => 'token not found', 'code' => 'invalidcode']); + $expected->throttle(['invalid_request' => 'token not found']); $this->accessTokenMapper->method('getByCode') ->with('invalidcode') @@ -194,7 +194,7 @@ public function testRefreshTokenInvalidRefreshToken(): void { $expected = new JSONResponse([ 'error' => 'invalid_request', ], Http::STATUS_BAD_REQUEST); - $expected->throttle(['invalid_request' => 'token not found', 'code' => 'invalidrefresh']); + $expected->throttle(['invalid_request' => 'token not found']); $this->accessTokenMapper->method('getByCode') ->with('invalidrefresh')