From 9fd17ad5e6b62c18d4fa258331ccf3e695a02e27 Mon Sep 17 00:00:00 2001
From: Lim Chee Aun <cheeaun@gmail.com>
Date: Sat, 31 Aug 2024 23:10:38 +0800
Subject: [PATCH] Check code_challenge_methods_supported too

---
 src/utils/oauth-pkce.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/utils/oauth-pkce.js b/src/utils/oauth-pkce.js
index 27f9cbdb6..084309b2c 100644
--- a/src/utils/oauth-pkce.js
+++ b/src/utils/oauth-pkce.js
@@ -26,7 +26,7 @@ export async function generateCodeChallenge(v) {
   return base64urlencode(hashed);
 }
 
-// If https://mastodon.social/.well-known/oauth-authorization-server exists, means support PKCE
+// If /.well-known/oauth-authorization-server exists and code_challenge_methods_supported includes "S256", means support PKCE
 export async function supportsPKCE({ instanceURL }) {
   if (!instanceURL) return false;
   try {
@@ -34,7 +34,9 @@ export async function supportsPKCE({ instanceURL }) {
       `https://${instanceURL}/.well-known/oauth-authorization-server`,
     );
     if (!res.ok || res.status !== 200) return false;
-    return true;
+    const json = await res.json();
+    if (json.code_challenge_methods_supported?.includes('S256')) return true;
+    return false;
   } catch (e) {
     return false;
   }