• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

ory / fosite
85%
master: 71%

Build:
Build:
LAST BUILD BRANCH: ecdsa-compose
DEFAULT BRANCH: master
Repo Added 08 Feb 2017 11:47AM UTC
Files 97
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH fix-cs
branch: fix-cs
CHANGE BRANCH
x
Reset
  • fix-cs
  • add-acr
  • add-basic-ss
  • add-jwt-auth
  • add-licenses
  • add-pkce
  • aud
  • aud-2
  • banner
  • close-144
  • close-194
  • closes-150
  • closes-180
  • closes-1801
  • compose-expose
  • contributing
  • contributing-01-20-20-10-13-24
  • contributing-01-20-20-10-24-59
  • contributing-02-02-20-22-55-43
  • contributing-03-18-20-19-08-24
  • contributing-04-04-20-12-02-41
  • contributing-04-04-20-15-45-22
  • contributing-04-05-20-09-45-31
  • contributing-04-12-20-10-41-32
  • contributing-04-13-20-09-21-56
  • contributing-04-16-20-19-31-31
  • contributing-05-12-20-10-00-36
  • contributing-05-15-19-12-38-49
  • contributing-05-15-19-13-05-24
  • contributing-05-23-19-11-57-12
  • contributing-05-23-19-12-07-08
  • contributing-05-23-19-12-10-52
  • contributing-07-23-19-11-28-47
  • contributing-07-23-19-11-35-28
  • contributing-08-05-19-18-31-41
  • contributing-08-10-19-00-48-22
  • contributing-08-10-19-00-52-57
  • contributing-08-11-19-13-19-43
  • contributing-08-19-19-19-01-07
  • contributing-10-15-18-20-32-24
  • contributing-10-15-18-20-34-07
  • contributing-10-15-18-20-36-17
  • contributing-10-17-18-14-50-41
  • cryptopasta
  • fix-181
  • fix-182
  • fix-188
  • fix-194
  • fix-209
  • fix-214
  • fix-225
  • fix-386
  • fix-aud
  • fix-auth-time
  • fix-clone
  • fix-code
  • fix-codes
  • fix-err
  • fix-error
  • fix-error-response-type
  • fix-errors
  • fix-hybrid
  • fix-id-token-hint-expired
  • fix-id-token-issues
  • fix-idt-exp
  • fix-introspect
  • fix-introspection
  • fix-jwt-extra
  • fix-logrus
  • fix-nonce
  • fix-offline
  • fix-pkce
  • fix-public-none
  • fix-refresh
  • fix-response-type
  • fix-scope-docs
  • fix-scope-strategy
  • fix-scopes
  • fix-storage
  • fix-tests
  • fix-timing-maxage
  • fix-uq-aud
  • fix-ut
  • improve-debug
  • improve-error
  • improve-oidc
  • improve-oidc-checks
  • improve-oidc-conformity
  • improve-oidc-verify
  • improve-prompt-age
  • improve-tokenauthmessage
  • introspect-token-type
  • key-rotation
  • master
  • next-release
  • oidc-conformity
  • pkce
  • re-export-converter
  • redir-up
  • redirect-secure-modify
  • refresh-exp
  • regression-150
  • remove-details
  • remove-jose
  • revoke-tokens-2nd
  • revoke-tokens-2nd-2
  • rfc-errors
  • rotate-hmac-key
  • timing
  • to-dep
  • utc-everywhere
  • v0.10.0
  • v0.11.0
  • v0.11.1
  • v0.11.2
  • v0.11.3
  • v0.11.4
  • v0.12.0
  • v0.13.0
  • v0.13.1
  • v0.14.0
  • v0.14.1
  • v0.14.2
  • v0.15.0
  • v0.15.1
  • v0.15.2
  • v0.15.3
  • v0.15.4
  • v0.15.5
  • v0.15.6
  • v0.16.0
  • v0.16.1
  • v0.16.2
  • v0.16.3
  • v0.16.4
  • v0.16.5
  • v0.17.0
  • v0.17.1
  • v0.17.2
  • v0.18.0
  • v0.18.1
  • v0.19.0
  • v0.19.1
  • v0.19.2
  • v0.19.3
  • v0.19.4
  • v0.19.5
  • v0.19.6
  • v0.19.7
  • v0.19.8
  • v0.20.0
  • v0.20.1
  • v0.20.2
  • v0.20.3
  • v0.21.0
  • v0.21.1
  • v0.21.2
  • v0.21.3
  • v0.21.4
  • v0.22.0
  • v0.23.0
  • v0.24.0
  • v0.25.0
  • v0.25.1
  • v0.26.0
  • v0.26.1
  • v0.27.0
  • v0.27.1
  • v0.27.2
  • v0.27.3
  • v0.27.4
  • v0.28.0
  • v0.28.1
  • v0.29.0
  • v0.29.1
  • v0.29.2
  • v0.29.3
  • v0.29.4
  • v0.29.5
  • v0.29.6
  • v0.29.7
  • v0.29.8
  • v0.30.0
  • v0.30.1
  • v0.30.2
  • v0.30.3
  • v0.30.4
  • v0.30.5
  • v0.30.6
  • v0.31.0
  • v0.31.1
  • v0.31.2
  • v0.31.3
  • v0.32.0
  • v0.32.1
  • v0.32.2
  • v0.6.17
  • v0.6.18
  • v0.6.19
  • v0.7.0
  • v0.8.0
  • v0.9.0
  • v0.9.1
  • v0.9.2
  • v0.9.3
  • v0.9.4
  • v0.9.5
  • v0.9.6
  • v0.9.7
  • write-debug

pending completion
993

push

travis-ci

arekkas
core: Sanitizes request body before sending it to the storage adapter

This release resolves a security issue (reported by [platform.sh](https://www.platform.sh)) related to potential storage implementations. This library used to pass
all of the request body from both authorize and token endpoints to the storage adapters. As some of these values
are needed in consecutive requests, some storage adapters chose to drop the full body to the database. This in turn caused,
with the addition of enabling POST-body based client authentication, the client secret to be leaked.

The issue has been resolved by sanitizing the request body and only including those values truly required by their
respective handlers. This lead to two breaking changes in the API:

1. The `fosite.Requester` interface has a new method `Sanitize(allowedParameters []string) Requester` which returns
a sanitized clone of the method receiver. If you do not use your own `fosite.Requester` implementation, this won't affect you.
2. If you use the PKCE handler, you will have to add three new methods to your storage implementation. The methods
to be added work exactly like, for example `CreateAuthorizeCodeSession`. The method signatures are as follows:
```go
type PKCERequestStorage interface {
	GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)
	CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error
	DeletePKCERequestSession(ctx context.Context, signature string) error
}
```

We encourage you to upgrade to this release and check your storage implementations and potentially remove old data.

We would like to thank [platform.sh](https://www.platform.sh) for sponsoring the development of a patch that resolves this
issue.

2244 of 2626 relevant lines covered (85.45%)

139.86 hits per line

Relevant lines Covered
Build:
Build:
2626 RELEVANT LINES 2244 COVERED LINES
139.86 HITS PER LINE
Source Files on fix-cs
  • List 0
  • Changed 0
  • Source Changed 0
  • Coverage Changed 0
Coverage ∆ File Lines Relevant Covered Missed Hits/Line

Recent builds

Builds Branch Commit Type Ran Committer Via Coverage
993 fix-cs core: Sanitizes request body before sending it to the storage adapter This release resolves a security issue (reported by [platform.sh](https://www.platform.sh)) related to potential storage implementations. This library used to pass all of the r... push 08 Apr 2018 09:41AM UTC arekkas travis-ci pending completion  
992 fix-cs core: Sanitizes request body before sending it to the storage adapter This release resolves a security issue (reported by [platform.sh](https://www.platform.sh)) related to potential storage implementations. This library used to pass all of the r... push 07 Apr 2018 02:14PM UTC arekkas travis-ci pending completion  
See All Builds (836)
  • Repo on GitHub
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2025 Coveralls, Inc