fix(oauth): strengthen PKCE validation and refresh token replay protection #142
Closed
opened 2026-05-24 08:20:37 +00:00 by jmiller
·
0 comments
No Branch/Tag Specified
main
dev
rc/05.01.02
feat/auto-update-xml
rc/05.01.01
feat/deploy-maintenance-mode
rc/05.01.00
feat/release-sha-checksums
feat/update-checker-channels
feat/132-namespace-separation
feat/test-rc-workflow
rc/04.01.00
fix/security-backports
feat/upstream-bug-sync
fix/upstream-v1.26.2-backports
fix/136-actions-concurrency-nil-panic
feat/ntfy-integration
feat/badge-engine
feat/prometheus-metrics
feat/update-checker
alpha
beta
feature
version
feat/custom-logo
v1.26.1-moko.05.01.02
v1.26.1-moko.05.00.00-rc.180
v1.26.1-moko.05.01.01
v1.26.1-moko.05.00.00-rc.178
v1.26.1-moko.05.01.00
v1.26.1-moko.05.00.00-rc.176
v1.26.1-moko.05.00.00
v1.26.1-moko.04.01.00-rc.170
v1.26.1-moko.04.01.00
v1.26.1-moko.04.00.00
v1.25.5-moko.1
v1.26.1
v1.26.0
v1.26.0-rc0
v1.27.0-dev
v1.25.5
v1.25.4
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
breaking-change
ci-cd
config
dependencies
deploy-failure
docker
documentation
good first issue
health-check
help wanted
mokostandards
pending: testing
priority: critical
priority: high
priority: low
priority: medium
push-failure
security
size/l
size/m
size/s
size/xl
size/xs
standards-drift
standards-update
status: blocked
status: in-progress
status: needs-review
status: on-hold
status: wontfix
sync-failure
type: bug
type: bug
type: chore
type: enhancement
type: feature
type: refactor
type: version
upstream
work-in-progress
bug
chore
documentation
enhancement
feature
pending: dependency
pending: deployment
pending: design
pending: documentation
pending: feedback
pending: review
pending: testing
priority: critical
priority: high
priority: low
priority: medium
refactor
roadmap
scope: client
scope: dolibarr
scope: infrastructure
scope: joomla
scope: waas
security
status: blocked
status: duplicate
status: in-progress
status: needs-review
status: wontfix
Breaking API or behavior change
CI/CD pipeline changes
Configuration changes
Dependency updates
Deployment failed
Docker/container changes
Documentation changes
Good for newcomers
Repo health check result
Extra attention needed
Related to MokoStandards framework
Feature implemented but not yet tested with documented proof
Must fix immediately
Important, fix soon
Nice to have
Normal priority
Git push operation failed
Security vulnerability or hardening
200-500 lines changed
50-200 lines changed
10-50 lines changed
500+ lines changed
< 10 lines changed
Deviates from MokoStandards
MokoStandards compliance update
Blocked by dependency or decision
Actively being worked on
Awaiting code review
Paused intentionally
Will not be addressed
Sync or mirror failed
Something isn't working
Maintenance, dependencies, cleanup
Improvement to existing feature
New functionality
Code restructuring without behavior change
Version bump or release
Draft or incomplete work
Something is not working
Maintenance and housekeeping
Documentation improvements
Improvement to existing functionality
New feature or request
Blocked by another issue or external dependency
Tested and approved, awaiting deployment to production
Needs UI/UX or architecture design before implementation
Feature works, needs documentation/wiki update
Awaiting feedback or decision from stakeholder
Implementation complete, awaiting code review
Feature implemented but not yet tested
Must fix immediately
Should fix soon
Nice to have
Fix when convenient
Code restructuring without behavior change
Planned feature or enhancement tracked on the roadmap
Client-specific work
Dolibarr modules and customizations
Server, CI, backups, monitoring
Joomla templates and extensions
MokoWaaS platform
Security vulnerability or hardening
Waiting on external dependency
Duplicate of another issue
Being worked on
Ready for review
Will not be addressed
Milestone
No items
No Milestone
Projects
Clear projects
No projects
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: MokoConsulting/MokoGitea#142
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Tighten PKCE handling, redirect URI normalization, and refresh-token replay safety. Also binds token exchanges to the original client request.
Upstream Reference
Severity: High
OAuth security hardening.
Warning
Upstream issue #37807 reports that the refresh token binding (#37740) breaks Drone CI cron jobs. Test OAuth clients before deploying.
Action
Cherry-pick from upstream
release/v1.26. Test any OAuth integrations thoroughly.Authored-by: Claude Opus 4.6 (1M context) noreply@anthropic.com