From 314ee5b92bf23c4973aa8e61eba3ff458e80eef2 Mon Sep 17 00:00:00 2001 From: GHOST Date: Mon, 3 Feb 2025 18:28:31 +0000 Subject: [PATCH 1/5] endpoints: add patreon endpoint Adds the patreon endpoints from their documentation. https://docs.patreon.com/#oauth. I've tested these thoroughly whilst making a pr to pocketbase. https://github.com/pocketbase/pocketbase/pull/3323. Change-Id: I023871a4340ee4ebcba9fd808d4a8f0c081fc10e GitHub-Last-Rev: 890ef056bd78d109e0ecc464263f9e85586e3f7d GitHub-Pull-Request: golang/oauth2#668 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/528640 Reviewed-by: Cherry Mui Reviewed-by: Carlos Amedee Reviewed-by: Jorropo Auto-Submit: Jorropo LUCI-TryBot-Result: Go LUCI --- endpoints/endpoints.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/endpoints/endpoints.go b/endpoints/endpoints.go index 950754ce4..0d8cf64ae 100644 --- a/endpoints/endpoints.go +++ b/endpoints/endpoints.go @@ -146,6 +146,12 @@ var Odnoklassniki = oauth2.Endpoint{ TokenURL: "https://api.odnoklassniki.ru/oauth/token.do", } +// Patreon is the endpoint for Patreon. +var Patreon = oauth2.Endpoint{ + AuthURL: "https://www.patreon.com/oauth2/authorize", + TokenURL: "https://www.patreon.com/api/oauth2/token", +} + // PayPal is the endpoint for PayPal. var PayPal = oauth2.Endpoint{ AuthURL: "https://www.paypal.com/webapps/auth/protocol/openidconnect/v1/authorize", From ac571fa341c2a2b979d2b2c8341fd24767ef5d47 Mon Sep 17 00:00:00 2001 From: Patrik Lundin Date: Thu, 13 Feb 2025 07:38:29 +0000 Subject: [PATCH 2/5] oauth2: fix docs for Config.DeviceAuth Config.DeviceAccess should be Config.DeviceAuth when using GenerateVerifier() or S256ChallengeOption() Change-Id: Ie21a808387f731d270ae54ea1705de3e786cad7f GitHub-Last-Rev: 2d6b4fd736ce785cc1675b1963be165529b09b1f GitHub-Pull-Request: golang/oauth2#763 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/636216 Reviewed-by: Dmitri Shuralyov Reviewed-by: Cherry Mui LUCI-TryBot-Result: Go LUCI Auto-Submit: Jorropo Reviewed-by: Jorropo --- pkce.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkce.go b/pkce.go index 50593b6df..6a95da975 100644 --- a/pkce.go +++ b/pkce.go @@ -21,7 +21,7 @@ const ( // // A fresh verifier should be generated for each authorization. // S256ChallengeOption(verifier) should then be passed to Config.AuthCodeURL -// (or Config.DeviceAccess) and VerifierOption(verifier) to Config.Exchange +// (or Config.DeviceAuth) and VerifierOption(verifier) to Config.Exchange // (or Config.DeviceAccessToken). func GenerateVerifier() string { // "RECOMMENDED that the output of a suitable random number generator be @@ -51,7 +51,7 @@ func S256ChallengeFromVerifier(verifier string) string { } // S256ChallengeOption derives a PKCE code challenge derived from verifier with -// method S256. It should be passed to Config.AuthCodeURL or Config.DeviceAccess +// method S256. It should be passed to Config.AuthCodeURL or Config.DeviceAuth // only. func S256ChallengeOption(verifier string) AuthCodeOption { return challengeOption{ From 109dabf9017129171d1807e485ca5633ecd095ac Mon Sep 17 00:00:00 2001 From: Hamza Ali Date: Thu, 13 Feb 2025 15:41:44 +0000 Subject: [PATCH 3/5] endpoints: add links/provider for Discord Endpoints are provided from https://discord.com/developers/docs/topics/oauth2#shared-resources-oauth2-urls. Change-Id: I7bcc8b4cb5527959acb8f177ffb8bbafbe727e82 GitHub-Last-Rev: 6869fc3f48c79750a9ab40276be08197300955cf GitHub-Pull-Request: golang/oauth2#768 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/649115 Reviewed-by: Dmitri Shuralyov Reviewed-by: Cherry Mui Reviewed-by: Dmitri Shuralyov Auto-Submit: Dmitri Shuralyov LUCI-TryBot-Result: Go LUCI --- endpoints/endpoints.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/endpoints/endpoints.go b/endpoints/endpoints.go index 0d8cf64ae..d6e575e1f 100644 --- a/endpoints/endpoints.go +++ b/endpoints/endpoints.go @@ -35,6 +35,12 @@ var Cern = oauth2.Endpoint{ TokenURL: "https://oauth.web.cern.ch/OAuth/Token", } +// Discord is the endpoint for Discord. +var Discord = oauth2.Endpoint{ + AuthURL: "https://discord.com/oauth2/authorize", + TokenURL: "https://discord.com/api/oauth2/token", +} + // Facebook is the endpoint for Facebook. var Facebook = oauth2.Endpoint{ AuthURL: "https://www.facebook.com/v3.2/dialog/oauth", From 3f78298beea38fb76a3fbca33e3056f4b7eb5502 Mon Sep 17 00:00:00 2001 From: Gopher Robot Date: Fri, 14 Feb 2025 21:12:09 +0000 Subject: [PATCH 4/5] all: upgrade go directive to at least 1.23.0 [generated] By now Go 1.24.0 has been released, and Go 1.22 is no longer supported per the Go Release Policy (https://go.dev/doc/devel/release#policy). For golang/go#69095. [git-generate] (cd . && go get go@1.23.0 && go mod tidy && go fix ./... && go mod edit -toolchain=none) Change-Id: I718ce0afa60729aeb89396db2b559faf03b90a68 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/649795 Auto-Submit: Gopher Robot Reviewed-by: Dmitri Shuralyov Reviewed-by: Cherry Mui LUCI-TryBot-Result: Go LUCI --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index d73aa6996..da302fb45 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module golang.org/x/oauth2 -go 1.18 +go 1.23.0 require ( cloud.google.com/go/compute/metadata v0.3.0 From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001 From: Neal Patel Date: Thu, 30 Jan 2025 14:10:09 -0500 Subject: [PATCH 5/5] jws: split token into fixed number of parts Thanks to 'jub0bs' for reporting this issue. Fixes #71490 Fixes CVE-2025-22868 Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155 Auto-Submit: Gopher Robot Reviewed-by: Damien Neil Reviewed-by: Roland Shoemaker LUCI-TryBot-Result: Go LUCI --- jws/jws.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jws/jws.go b/jws/jws.go index 95015648b..6f03a49d3 100644 --- a/jws/jws.go +++ b/jws/jws.go @@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) { // Verify tests whether the provided JWT token's signature was produced by the private key // associated with the supplied public key. func Verify(token string, key *rsa.PublicKey) error { - parts := strings.Split(token, ".") - if len(parts) != 3 { + if strings.Count(token, ".") != 2 { return errors.New("jws: invalid token received, token must have 3 parts") } + parts := strings.SplitN(token, ".", 3) signedContent := parts[0] + "." + parts[1] signatureString, err := base64.RawURLEncoding.DecodeString(parts[2]) if err != nil { pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy