API: Show different ids on reshares / don't check for client secret

2025-04-22 05:50:13 +00:00 · 2023-01-22 11:25:31 +00:00 · 2023-01-22 11:25:31 +00:00 · 2ecc797541
commit 2ecc797541
parent 4b73335def
2 changed files with 14 additions and 1 deletions
--- a/src/Module/OAuth/Token.php
+++ b/src/Module/OAuth/Token.php
@ -68,7 +68,8 @@ class Token extends BaseApi
 			}
 		}

-		if (empty($request['client_id']) || empty($request['client_secret'])) {
+		// "client_secret" is required for "client_credentials": https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/
+		if (empty($request['client_id']) || (($request['grant_type'] == 'client_credentials') && empty($request['client_secret']))) {
 			Logger::warning('Incomplete request data', ['request' => $request]);
 			DI::mstdnError()->Unauthorized('invalid_client', DI::l10n()->t('Incomplete request data'));
 		}