Check code_challenge_methods_supported too

cheeaun · Aug 31, 2024 · 9fd17ad · 9fd17ad
1 parent 0e961e8
commit 9fd17ad
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/utils/oauth-pkce.js b/src/utils/oauth-pkce.js
@@ -26,15 +26,17 @@ export async function generateCodeChallenge(v) {
   return base64urlencode(hashed);
 }
 
-// If https://mastodon.social/.well-known/oauth-authorization-server exists, means support PKCE
+// If /.well-known/oauth-authorization-server exists and code_challenge_methods_supported includes "S256", means support PKCE
 export async function supportsPKCE({ instanceURL }) {
   if (!instanceURL) return false;
   try {
     const res = await fetch(
       `https://${instanceURL}/.well-known/oauth-authorization-server`,
     );
     if (!res.ok || res.status !== 200) return false;
-    return true;
+    const json = await res.json();
+    if (json.code_challenge_methods_supported?.includes('S256')) return true;
+    return false;
   } catch (e) {
     return false;
   }