feat: improve error message in GetAuthorizationCodeToken()

2025-05-23 02:35:49 +08:00 · 2024-08-09 21:06:23 +08:00 · 2024-08-09 21:06:23 +08:00 · 97dcf24a91
commit 97dcf24a91
parent 4c0fff66ff
1 changed files with 17 additions and 12 deletions
--- a/object/token_oauth.go
+++ b/object/token_oauth.go
@ -428,23 +428,27 @@ func GetAuthorizationCodeToken(application *Application, clientSecret string, co
 	if token == nil {
 		return nil, &TokenError{
 			Error:            InvalidGrant,
-			ErrorDescription: "authorization code is invalid",
+			ErrorDescription: fmt.Sprintf("authorization code: [%s] is invalid", code),
 		}, nil
 	}
+
 	if token.CodeIsUsed {
 		// anti replay attacks
 		return nil, &TokenError{
 			Error:            InvalidGrant,
-			ErrorDescription: "authorization code has been used",
+			ErrorDescription: fmt.Sprintf("authorization code has been used for token: [%s]", token.GetId()),
 		}, nil
 	}

-	if token.CodeChallenge != "" && pkceChallenge(verifier) != token.CodeChallenge {
+	if token.CodeChallenge != "" {
+		challengeAnswer := pkceChallenge(verifier)
+		if challengeAnswer != token.CodeChallenge {
 			return nil, &TokenError{
 				Error:            InvalidGrant,
-			ErrorDescription: "verifier is invalid",
+				ErrorDescription: fmt.Sprintf("verifier is invalid, challengeAnswer: [%s], token.CodeChallenge: [%s]", challengeAnswer, token.CodeChallenge),
 			}, nil
 		}
+	}

 	if application.ClientSecret != clientSecret {
 		// when using PKCE, the Client Secret can be empty,
@ -452,13 +456,13 @@ func GetAuthorizationCodeToken(application *Application, clientSecret string, co
 		if token.CodeChallenge == "" {
 			return nil, &TokenError{
 				Error:            InvalidClient,
-				ErrorDescription: "client_secret is invalid",
+				ErrorDescription: fmt.Sprintf("client_secret is invalid for application: [%s], token.CodeChallenge: empty", application.GetId()),
 			}, nil
 		} else {
 			if clientSecret != "" {
 				return nil, &TokenError{
 					Error:            InvalidClient,
-					ErrorDescription: "client_secret is invalid",
+					ErrorDescription: fmt.Sprintf("client_secret is invalid for application: [%s], token.CodeChallenge: [%s]", application.GetId(), token.CodeChallenge),
 				}, nil
 			}
 		}
@ -467,15 +471,16 @@ func GetAuthorizationCodeToken(application *Application, clientSecret string, co
 	if application.Name != token.Application {
 		return nil, &TokenError{
 			Error:            InvalidGrant,
-			ErrorDescription: "the token is for wrong application (client_id)",
+			ErrorDescription: fmt.Sprintf("the token is for wrong application (client_id), application.Name: [%s], token.Application: [%s]", application.Name, token.Application),
 		}, nil
 	}

-	if time.Now().Unix() > token.CodeExpireIn {
+	nowUnix := time.Now().Unix()
+	if nowUnix > token.CodeExpireIn {
 		// code must be used within 5 minutes
 		return nil, &TokenError{
 			Error:            InvalidGrant,
-			ErrorDescription: "authorization code has expired",
+			ErrorDescription: fmt.Sprintf("authorization code has expired, nowUnix: [%s], token.CodeExpireIn: [%s]", time.Unix(nowUnix, 0).Format(time.RFC3339), time.Unix(token.CodeExpireIn, 0).Format(time.RFC3339)),
 		}, nil
 	}
 	return token, nil, nil