OAuth 2.0 authorization and token exchange
Reject non-2xx responses from token endpoint
Change status check from >= 400 to outside 200-299 range. A 3xx
redirect from a misconfigured server would either leak client_secret
to the redirect target (if followed) or produce a confusing
Invalid_json error (if not followed). Now any non-2xx status is
rejected cleanly as Http_error.
+1
-1
+1
-1
lib/oauth.ml
+1
-1
lib/oauth.ml
···
398
398
let body = Requests.Body.text form_str in
399
399
let resp = Requests.post http url ~body ~headers:token_headers in
400
400
let status = Requests.Response.status_code resp in
401
-
if status >= 400 then begin
401
+
if status < 200 || status >= 300 then begin
402
402
Log.warn (fun m -> m "Token endpoint returned HTTP %d" status);
403
403
Error (Http_error status)
404
404
end