-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access tokens should not be sent in multiple fields #241
Comments
Yeah, I think I did this because the micropub endpoint from Wordpress required that. Not sure if I could remove it. @dshanske can you confirm ? I think the other framework implementations (drupal for sure) are fine with header, so I'd be fine to only use that. |
Another option of course is to make it configurable, defaulting to sending it in the header. |
Ah yes I've just been looking through the code and saw the comment about WordPress. I think making it configurable would be best, letting folks decide how it's sent. It may be worth warning users on their first run of the upgraded app that they're using the new defaults, and to allow them to set it there and then, otherwise WordPress users would suddenly have issues publishing content? |
We don't require it. We support either. But some servers block the header. Suggest it default to header only... |
Default to header sounds good! |
fixed in dev |
Awesome, thanks very much for being so responsive! Do I remember correctly that the release is automatic at the end of the day? |
Oh no, that's on a randomly selected moment I choose, so not really a fixed release schedule :) That said, I'll do a release next week. After that I'm going to test a big new feature myself for a few weeks, so I'll make sure this one gets out first. |
Ah OK cool. Any idea when next week? Or if there's some way to get it running as a beta test? I'm unable to use the app with my own server unfortunately until I've got this, but I realise it's asking a lot for an out of band release |
oh, in that case, pushed a new release :) |
Amazing, thank you! |
Describe the bug
Access tokens are being sent in both the
Authorization
header, and in the form body. This is not correct, and some OAuth2-compliant resource servers will reject requests.Sample, captured, request, with sanitised access tokens:
To Reproduce
Set up a stub server in place of a micropub server, and observe the HTTP request received.
Expected behavior
Access tokens should be sent in one place.
Screenshots
N/A
Smartphone (please complete the following information):
Google Pixel 3A
Additional context
This depends on the resource server and the error they return, which is why some servers will not see this issue.
The text was updated successfully, but these errors were encountered: