OAuth refresh-token scope genisletmem kabul edildi — RFC 6749 §6 ihlali (PR #644 V F2)

Ankara Cebeci de 29 yaslarinda freelance yazilim gelistirici Tolga, arkadasi Tunc un Ulus Lokantasi icin custom analytics dashboard yapti. Original integration read-only (scope=orders.read). 3 ay sonra Tunc write feature istedi. Tolga refresh-token endpoint inde scope=orders.read orders.write yazdi (orijinalden BASKA scope ekleyerek). RFC 6749 section 6 e gore reject olmali (scope MUST NOT include any scope not originally granted). thMenu access-token endpoint i kabul etti, 200 OK ile yeni token dondu, token ORDERS.WRITE de iceriyordu. Tolga test PATCH /api/orders/[id]/status basarili. Privilege escalation vector. Tolga responsible disclosure ile security@thmenu.com a yazdi (kendi test client uzerinde reproduce etti, Tunc un prod token i ile denemedi). thMenu support 5 gunde fix shipped + Tolga ya bug-bounty programi yok ama 1-yil ucretsiz Pro tier upgrade + Hall of Fame. Forensik: apps/web-admin/src/app/api/oauth/token/route.ts refresh-token branch. `scope: body.scope ?? tokenRecord.scope` — body.scope client-supplied accepted, ORIJINAL UN SUBSET I MI DEGIL MI HIC KONTROL EDILMIYORDU. RFC says: scope omitted ⇒ original; scope = subset of original ⇒ subset; scope exceeds original ⇒ 400 invalid_scope. Pre-fix all 3 cases silently treated as case (a). **PR #644 batch V F2** fix: isScopeSubset(requested, granted) helper (Set.split.every) + refresh-token branch validation: body.scope verilirse isScopeSubset check, !subset → 400 invalid_scope, else effectiveScope = body.scope. Tolga Tunc icin yeni authorization-code flow ile (scope=orders.read orders.write explicit consent) feature shipped. Pattern: OAuth 2.0 refresh-token endpoint RFC 6749 section 6 a kesin uymalı — silent scope expansion privilege escalation vector. Audit checklist: authorization endpoint scope explicit + consent screen; token endpoint authorization_code granted scope audit log; refresh-token branch isScopeSubset enforcement; access token embedded scope ONLY source of truth at validation; audit log every issuance {client_id, user_id, granted_scope, grant_type, requested_scope}; annual penetration test RFC compliance check.

İlgili makaleler