Authorization Code Can Be Reused Multiple Times in Login Flow (Security Issue)

[piyushsinghgaur1]

Description

Summary

The current authentication flow allows the authorization code returned by /auth/login to be reused multiple times when calling /auth/token. This violates expected security behavior, as authorization codes should be single-use tokens.

---

Steps to Reproduce

1. Call POST /auth/login with valid credentials.
2. Receive an authorization code in the response.
3. Call POST /auth/token using the authorization code to obtain an access token.
4. Repeat step 3 using the same authorization code.

---

Expected Behavior

• The authorization code should be valid for one-time use only.
• Any subsequent attempts to reuse the same code should result in an error (e.g., invalid_grant or similar).

---

Actual Behavior

• The same authorization code can be reused multiple times to generate new access tokens.
• No restriction or invalidation occurs after the first use.

---

Impact

• This creates a potential security vulnerability, as intercepted or leaked authorization codes can be reused to obtain multiple access tokens.
• Violates standard practices for secure authentication flows (e.g., OAuth2 authorization code flow).

---

Suggested Fix

• Invalidate the authorization code immediately after its first successful use.
• Optionally:
  • Track usage status in the database (e.g., used: true).
  • Return an error if a previously used code is presented again.

---

Additional Context

Ensuring authorization codes are single-use is critical to prevent replay attacks and align with secure authentication standards.