Closed marc-mabe closed 3 years ago
You can add a middleware to filter the request.
class FixRefreshToken implements MiddlewareInterface
{
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
$params = $request->getParsedBody();
if (isset($params['refresh_token']) && !is_string($params['refresh_token'])) {
$params['refresh_token'] = (string)$params['refresh_token'];
$request = $request->withParsedBody(params);
}
return $handler->handle($request);
}
}
I'm using https://github.com/mezzio/mezzio-authentication-oauth2 and noticed thousands of 500 errors on our server. (Someone tried to access something he should not but I don't expect this bug a security issue.)
The problem happens if someone passes a token not as string.
E.g:
The bug seems to be fixed with but other grant types are very likely effected, too