fix(oauth): make the throttling reason more specific

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

Author: julien-nc

apps/oauth2/lib/Controller/OauthApiController.php

@@ -197,6 +197,9 @@ public function getToken(
 		$newToken = $this->secureRandom->generate(72, ISecureRandom::CHAR_ALPHANUMERIC);
 		$newCode = $this->secureRandom->generate(128, ISecureRandom::CHAR_ALPHANUMERIC);
 		$newEncryptedToken = $this->crypto->encrypt($newToken, $newCode);
+		$redeemedThrottleReason = $grant_type === 'authorization_code'
+			? 'authorization_code_already_redeemed'
+			: 'refresh_token_already_redeemed';
 		$tokenRotated = false;
 
 		$this->db->beginTransaction();
@@ -227,7 +230,7 @@ public function getToken(
 				$response = new JSONResponse([
 					'error' => 'invalid_request',
 				], Http::STATUS_BAD_REQUEST);
-				$response->throttle(['invalid_request' => 'token already redeemed']);
+				$response->throttle(['invalid_request' => $redeemedThrottleReason]);
 				return $response;
 			}
 

apps/oauth2/tests/Controller/OauthApiControllerTest.php

@@ -672,7 +672,7 @@ public function testRefreshTokenRedeemedConcurrently(): void {
 		$expected = new JSONResponse([
 			'error' => 'invalid_request',
 		], Http::STATUS_BAD_REQUEST);
-		$expected->throttle(['invalid_request' => 'token already redeemed']);
+		$expected->throttle(['invalid_request' => 'refresh_token_already_redeemed']);
 
 		$accessToken = new AccessToken();
 		$accessToken->setId(21);