From 776a26f7b83da751d6ebf7d4950fc494312c35d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Ivan=C4=8Di=C4=87?= <marko.ivancic@srce.hr>
Date: Sat, 18 Mar 2023 21:15:43 +0100
Subject: [PATCH] Apply PKCE downgrade protection from upstream

---
 lib/Server/Grants/AuthCodeGrant.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/Server/Grants/AuthCodeGrant.php b/lib/Server/Grants/AuthCodeGrant.php
index d9cc365e..7f398796 100644
--- a/lib/Server/Grants/AuthCodeGrant.php
+++ b/lib/Server/Grants/AuthCodeGrant.php
@@ -352,10 +352,18 @@ public function respondToAccessTokenRequest(
             throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code', $e);
         }
 
+        $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
+
+        // If a code challenge isn't present but a code verifier is, reject the request to block PKCE downgrade attack
+        if ($this->shouldCheckPkce($client) && empty($authCodePayload->code_challenge) && $codeVerifier !== null) {
+            throw OAuthServerException::invalidRequest(
+                'code_challenge',
+                'code_verifier received when no code_challenge is present'
+            );
+        }
+
         // Validate code challenge
         if (!empty($authCodePayload->code_challenge)) {
-            $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
-
             if ($codeVerifier === null) {
                 throw OAuthServerException::invalidRequest('code_verifier');
             }