From a6081a2e7f1ed0c6d49666f3b67dc488a2413ac7 Mon Sep 17 00:00:00 2001 From: David Rodrigues Date: Thu, 29 Jan 2026 10:30:32 +0000 Subject: [PATCH 1/4] fix: 6034 undef authorization code on every attempt --- src/core/oauth2-authorize.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/core/oauth2-authorize.js b/src/core/oauth2-authorize.js index e20cdd3b594..3794b2b0555 100644 --- a/src/core/oauth2-authorize.js +++ b/src/core/oauth2-authorize.js @@ -78,6 +78,9 @@ export default function authorize ( { auth, authActions, errActions, configs, au } if ((flow === "authorizationCode" || flow === "authorization_code" || flow === "accessCode") && authConfigs.usePkceWithAuthorizationCodeGrant) { + // deleting old authorization code before new attempt + delete auth.code + const codeVerifier = generateCodeVerifier() const codeChallenge = createCodeChallenge(codeVerifier) From 8ab3a7856e47f54de5fbbaf25d6e1532d55839f3 Mon Sep 17 00:00:00 2001 From: David Rodrigues Date: Thu, 29 Jan 2026 10:33:11 +0000 Subject: [PATCH 2/4] test: add unit test for deleting authorization code on every pkce attempt --- test/unit/core/oauth2-authorize.js | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/test/unit/core/oauth2-authorize.js b/test/unit/core/oauth2-authorize.js index b31faeb4b49..f6eb2f7678f 100644 --- a/test/unit/core/oauth2-authorize.js +++ b/test/unit/core/oauth2-authorize.js @@ -197,5 +197,22 @@ describe("oauth2", () => { authConfig3.authActions.authPopup.mockReset() }) + + it("should delete previous authorization code when using authorizationCode flow with usePkceWithAuthorizationCodeGrant enabled", () => { + mockSchema.flow = "authorizationCode" + + authConfig.authConfigs.usePkceWithAuthorizationCodeGrant = true + + // Simulate a stale authorization code from a previous attempt + authConfig.auth.code = "mock_authorization_code" + + expect(authConfig.auth.code).toBe("mock_authorization_code") + + oauth2Authorize(authConfig) + expect(authConfig.auth.code).toBeUndefined() + + authConfig.authActions.authPopup.mockReset() + }) + }) }) From d815940ae08614709f924ce0a8163f77ebfa403d Mon Sep 17 00:00:00 2001 From: David Rodrigues Date: Sun, 1 Feb 2026 18:13:49 +0000 Subject: [PATCH 3/4] UPD - remove code at beggining to ensure all execution paths are handled --- src/core/oauth2-authorize.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/core/oauth2-authorize.js b/src/core/oauth2-authorize.js index 3794b2b0555..06a6fa02d3a 100644 --- a/src/core/oauth2-authorize.js +++ b/src/core/oauth2-authorize.js @@ -8,6 +8,11 @@ export default function authorize ( { auth, authActions, errActions, configs, au let flow = schema.get("flow") let query = [] + // deleting old authorization code before new attempt if defined. + // At this stage we don't care about flow type. + // It fails silently if not defined yet + delete auth.code + switch (flow) { case "password": authActions.authorizePassword(auth) @@ -78,9 +83,6 @@ export default function authorize ( { auth, authActions, errActions, configs, au } if ((flow === "authorizationCode" || flow === "authorization_code" || flow === "accessCode") && authConfigs.usePkceWithAuthorizationCodeGrant) { - // deleting old authorization code before new attempt - delete auth.code - const codeVerifier = generateCodeVerifier() const codeChallenge = createCodeChallenge(codeVerifier) From 9dd3015fee119eb3e5cbb1d223db47f07200cfc9 Mon Sep 17 00:00:00 2001 From: David Rodrigues Date: Sun, 1 Feb 2026 18:14:18 +0000 Subject: [PATCH 4/4] UPD - test name because it's part of the AC flow --- test/unit/core/oauth2-authorize.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/core/oauth2-authorize.js b/test/unit/core/oauth2-authorize.js index f6eb2f7678f..d69342d76f4 100644 --- a/test/unit/core/oauth2-authorize.js +++ b/test/unit/core/oauth2-authorize.js @@ -198,7 +198,7 @@ describe("oauth2", () => { authConfig3.authActions.authPopup.mockReset() }) - it("should delete previous authorization code when using authorizationCode flow with usePkceWithAuthorizationCodeGrant enabled", () => { + it("should delete previous authorization code when using authorizationCode flow on each attempt", () => { mockSchema.flow = "authorizationCode" authConfig.authConfigs.usePkceWithAuthorizationCodeGrant = true