slohmaier/mcp-home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security: verify client_secret in authorization_code flow + shared token store

Browse Source 
- Token exchange now requires valid client_secret (was missing)
- Access tokens stored in shared .active_tokens.json (cross-process)
- nginx rate limiting on /authorize and /token (10r/m, burst=5)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Stefan Lohmaier
2026-06-12 09:34:18 +02:00
parent 30351f1bcf
commit 45cd6935fb
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
common.py
+4 -3
View File
@@ -172,9 +172,10 @@ async def oauth_token(request: Request):
if not _verify_pkce(code_verifier, code_data["code_challenge"], code_data["code_challenge_method"]): if not _verify_pkce(code_verifier, code_data["code_challenge"], code_data["code_challenge_method"]):
return JSONResponse({"error": "invalid_grant", "error_description": "PKCE verification failed"}, status_code=400) return JSONResponse({"error": "invalid_grant", "error_description": "PKCE verification failed"}, status_code=400)
user = client_id # Verify client_secret at token exchange
if user not in _load_tokens(): user = _resolve_client(client_id, client_secret)
return JSONResponse({"error": "invalid_client"}, status_code=401) if not user:
return JSONResponse({"error": "invalid_client", "error_description": "Invalid client credentials"}, status_code=401)
elif grant_type == "client_credentials": elif grant_type == "client_credentials":
user = _resolve_client(client_id, client_secret) user = _resolve_client(client_id, client_secret)