From be6d80c02093842cbfe53e2d44867c255962ea95 Mon Sep 17 00:00:00 2001
From: Emelia <thisismissem@noreply.codeberg.org>
Date: Tue, 3 Jun 2025 10:04:15 +0200
Subject: [PATCH] [chore] Remove insecure PKCE Code Challenge Method for plain
 (#4232)

# Description

As I noted in https://codeberg.org/superseriousbusiness/gotosocial/pulls/2224 the PKCE code challenge method of "plain" is insecure and its usage is not recommend. In Mastodon and Hollo, we do not support it, as indicated by the `code_challenge_methods_supported` value here: https://mastodon.social/.well-known/oauth-authorization-server

This pull request removes the support for PKCE code challenge method "plain".

## Checklist

Please put an x inside each checkbox to indicate that you've read and followed it: `[ ]` -> `[x]`

If this is a documentation change, only the first checkbox must be filled (you can delete the others if you want).

- [x] I/we have read the [GoToSocial contribution guidelines](https://codeberg.org/superseriousbusiness/gotosocial/src/branch/main/CONTRIBUTING.md).
- [ ] I/we have discussed the proposed changes already, either in an issue on the repository, or in the Matrix chat.
- [x] I/we have not leveraged AI to create the proposed changes.
- [x] I/we have performed a self-review of added code.
- [x] I/we have written code that is legible and maintainable by others.
- [ ] I/we have commented the added code, particularly in hard-to-understand areas.
- [ ] I/we have made any necessary changes to documentation.
- [ ] I/we have added tests that cover new code.
- [x] I/we have run tests and they pass locally with the changes.
- [ ] I/we have run `go fmt ./...` and `golangci-lint run`.

I do get test failures locally, due to file sizes for media being different, but that's definitely unrelated to this change, as far as I can tell there is zero test coverage this part of the GTS code.

Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4232
Co-authored-by: Emelia <thisismissem@noreply.codeberg.org>
Co-committed-by: Emelia <thisismissem@noreply.codeberg.org>
---
 internal/oauth/server.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/internal/oauth/server.go b/internal/oauth/server.go
index 05e8cad44..05872318a 100644
--- a/internal/oauth/server.go
+++ b/internal/oauth/server.go
@@ -126,7 +126,6 @@ func New(
 				oauth2.ClientCredentials,
 			},
 			AllowedCodeChallengeMethods: []oauth2.CodeChallengeMethod{
-				oauth2.CodeChallengePlain,
 				oauth2.CodeChallengeS256,
 			},
 		},