doorkeeper-gem · nbulaj · Dec 23, 2024 · Dec 19, 2024 · Dec 19, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ User-visible changes worth mentioning.
 ## main
 
 Add your entry here.
+- [#1755] Fix the error message for force_pkce
 
 ## 5.8.1
 

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -96,6 +96,7 @@ en:
           unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
           missing_param: 'Missing required parameter: %{value}.'
           request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
+          invalid_code_challenge: 'Code challenge is required.'
         invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
         access_denied: 'The resource owner or authorization server denied the request.'

diff --git a/lib/doorkeeper/errors.rb b/lib/doorkeeper/errors.rb
@@ -68,7 +68,6 @@ def self.translate_options
     InvalidClient = Class.new(BaseResponseError)
     InvalidScope = Class.new(BaseResponseError)
     InvalidRedirectUri = Class.new(BaseResponseError)
-    InvalidCodeChallenge = Class.new(BaseResponseError)
     InvalidGrant = Class.new(BaseResponseError)
 
     UnauthorizedClient = Class.new(BaseResponseError)

diff --git a/lib/doorkeeper/oauth/pre_authorization.rb b/lib/doorkeeper/oauth/pre_authorization.rb
@@ -14,12 +14,13 @@ class PreAuthorization
       validate :response_type, error: Errors::UnsupportedResponseType
       validate :response_mode, error: Errors::UnsupportedResponseMode
       validate :scopes, error: Errors::InvalidScope
-      validate :code_challenge, error: Errors::InvalidCodeChallenge
+      validate :code_challenge, error: Errors::InvalidRequest
       validate :code_challenge_method, error: Errors::InvalidCodeChallengeMethod
 
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
                   :redirect_uri, :resource_owner, :response_type, :state,
-                  :authorization_response_flow, :response_mode, :custom_access_token_attributes
+                  :authorization_response_flow, :response_mode, :custom_access_token_attributes,
+                  :invalid_request_reason
 
       def initialize(server, parameters = {}, resource_owner = nil)
         @server = server
@@ -147,7 +148,10 @@ def validate_scopes
       def validate_code_challenge
         return true unless Doorkeeper.config.force_pkce?
         return true if client.confidential
-        code_challenge.present?
+        return true if code_challenge.present?
+
+        @invalid_request_reason = :invalid_code_challenge
+        false
       end
 
       def validate_code_challenge_method

diff --git a/spec/lib/oauth/pre_authorization_spec.rb b/spec/lib/oauth/pre_authorization_spec.rb
@@ -427,6 +427,7 @@
           attributes[:code_challenge] = " "
 
           expect(pre_auth).not_to be_authorizable
+          expect(pre_auth.error_response.description).to eq(translated_invalid_request_error_message(:invalid_code_challenge, nil))
         end
 
         it "accepts a code challenge" do
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,6 +8,7 @@ User-visible changes worth mentioning. @@
     ## main
     Add your entry here.
+    - [#1755] Fix the error message for force_pkce
     ## 5.8.1
@@ Expand Down @@