ory / fosite / 993 / 1
85%
master: 71%

LAST BUILD BRANCH: ecdsa-compose
DEFAULT BRANCH: master
Ran
Files 62
Run time 2s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 85.453%. Remained the same
DEP_VERSION="0.3.2"

push

travis-ci

arekkas 
core: Sanitizes request body before sending it to the storage adapter

This release resolves a security issue (reported by [platform.sh](https://www.platform.sh)) related to potential storage implementations. This library used to pass
all of the request body from both authorize and token endpoints to the storage adapters. As some of these values
are needed in consecutive requests, some storage adapters chose to drop the full body to the database. This in turn caused,
with the addition of enabling POST-body based client authentication, the client secret to be leaked.

The issue has been resolved by sanitizing the request body and only including those values truly required by their
respective handlers. This lead to two breaking changes in the API:

1. The `fosite.Requester` interface has a new method `Sanitize(allowedParameters []string) Requester` which returns
a sanitized clone of the method receiver. If you do not use your own `fosite.Requester` implementation, this won't affect you.
2. If you use the PKCE handler, you will have to add three new methods to your storage implementation. The methods
to be added work exactly like, for example `CreateAuthorizeCodeSession`. The method signatures are as follows:
```go
type PKCERequestStorage interface {
	GetPKCERequestSession(ctx context.Context, signature string, session fosite.Session) (fosite.Requester, error)
	CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error
	DeletePKCERequestSession(ctx context.Context, signature string) error
}
```

We encourage you to upgrade to this release and check your storage implementations and potentially remove old data.

We would like to thank [platform.sh](https://www.platform.sh) for sponsoring the development of a patch that resolves this
issue.

2244 of 2626 relevant lines covered (85.45%)

139.86 hits per line

Source Files on job 993.1 (DEP_VERSION="0.3.2")