fix(oauth): strengthen PKCE validation and refresh token replay protection #142

New Issue

Closed

opened 2026-05-24 08:20:37 +00:00 by jmiller · 0 comments

jmiller commented 2026-05-24 08:20:37 +00:00

Owner

Copy Link

Copy Source

Summary

Tighten PKCE handling, redirect URI normalization, and refresh-token replay safety. Also binds token exchanges to the original client request.

Upstream Reference

• PR: https://github.com/go-gitea/gitea/pull/37738 (backport of #37706)
• PR: https://github.com/go-gitea/gitea/pull/37740 (backport of #37704)
• Merged: 2026-05-17
• Branch: release/v1.26

Severity: High

OAuth security hardening.

Warning

Upstream issue #37807 reports that the refresh token binding (#37740) breaks Drone CI cron jobs. Test OAuth clients before deploying.

Action

Cherry-pick from upstream release/v1.26. Test any OAuth integrations thoroughly.

---

Authored-by: Claude Opus 4.6 (1M context) noreply@anthropic.com

## Summary Tighten PKCE handling, redirect URI normalization, and refresh-token replay safety. Also binds token exchanges to the original client request. ## Upstream Reference - PR: https://github.com/go-gitea/gitea/pull/37738 (backport of #37706) - PR: https://github.com/go-gitea/gitea/pull/37740 (backport of #37704) - Merged: 2026-05-17 - Branch: release/v1.26 ## Severity: High OAuth security hardening. ## Warning Upstream issue #37807 reports that the refresh token binding (#37740) breaks Drone CI cron jobs. Test OAuth clients before deploying. ## Action Cherry-pick from upstream `release/v1.26`. Test any OAuth integrations thoroughly. --- *Authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>*

jmiller added the securityupstream labels 2026-05-24 08:25:46 +00:00

jmiller referenced this issue 2026-05-24 08:53:18 +00:00

fix(security): backport 12 upstream security fixes from v1.26.2 #165

jmiller closed this issue 2026-05-24 22:51:59 +00:00

Sign in to join this conversation.

Labels

Clear labels

breaking-change

Breaking API or behavior change

ci-cd

CI/CD pipeline changes

config

Configuration changes

dependencies

Dependency updates

deploy-failure

Deployment failed

docker

Docker/container changes

documentation

Documentation changes

good first issue

Good for newcomers

health-check

Repo health check result

help wanted

Extra attention needed

mokostandards

Related to MokoStandards framework

push-failure

Git push operation failed

security

Security vulnerability or hardening

size/l

200-500 lines changed

size/m

50-200 lines changed

size/s

10-50 lines changed

size/xl

500+ lines changed

size/xs

< 10 lines changed

standards-drift

Deviates from MokoStandards

standards-update

MokoStandards compliance update

sync-failure

Sync or mirror failed

tech-debt

Technical debt and TODO/FIXME items

upstream

upstream

Inherited from upstream Gitea

work-in-progress

Draft or incomplete work

No labels security upstream

Priority High

Type Bug

Status —

Priority —

Type —

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-APP#142