From 45cd6935fb11b9835733d64c979b7316e7ba83fc Mon Sep 17 00:00:00 2001
From: Stefan Lohmaier <stefan@slohmaier.de>
Date: Fri, 12 Jun 2026 09:34:18 +0200
Subject: [PATCH] Security: verify client_secret in authorization_code flow +
 shared token store

- Token exchange now requires valid client_secret (was missing)
- Access tokens stored in shared .active_tokens.json (cross-process)
- nginx rate limiting on /authorize and /token (10r/m, burst=5)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 common.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/common.py b/common.py
index f7b0f79..4c37d10 100644
--- a/common.py
+++ b/common.py
@@ -172,9 +172,10 @@ async def oauth_token(request: Request):
             if not _verify_pkce(code_verifier, code_data["code_challenge"], code_data["code_challenge_method"]):
                 return JSONResponse({"error": "invalid_grant", "error_description": "PKCE verification failed"}, status_code=400)
 
-        user = client_id
-        if user not in _load_tokens():
-            return JSONResponse({"error": "invalid_client"}, status_code=401)
+        # Verify client_secret at token exchange
+        user = _resolve_client(client_id, client_secret)
+        if not user:
+            return JSONResponse({"error": "invalid_client", "error_description": "Invalid client credentials"}, status_code=401)
 
     elif grant_type == "client_credentials":
         user = _resolve_client(client_id, client_secret)