1 files changed, 20 insertions(+), 13 deletions(-)

M routes.go

@@ 751,26 751,33 @@ func (s *Service) RevokeTokenPOST(c echo.Context) error {
 		return s.accessTokenError(c, "invalid_request",
 			"Invalid Authorization header", 400)
 	}
-	z := strings.SplitN(header, " ", 2)
-	if len(z) != 2 {
-		return s.accessTokenError(c, "invalid_request",
+	parts := strings.SplitN(header, " ", 2)
+	if len(parts) != 2 || parts[0] != "Basic" {
+		return s.accessTokenError(c, "invalid_client",
 			"Invalid Authorization header", 400)
 	}
-	if strings.ToLower(z[0]) != "basic" {
-		return s.accessTokenError(c, "invalid_request",
+	bytes, err := base64.StdEncoding.DecodeString(parts[1])
+	if err != nil {
+		return s.accessTokenError(c, "invalid_client",
+			"Invalid Authorization header contents", 400)
+	}
+	auth := string(bytes)
+	if !strings.Contains(auth, ":") {
+		return s.accessTokenError(c, "invalid_client",
 			"Invalid Authorization header", 400)
 	}
-	idsec, err := base64.StdEncoding.DecodeString(z[1])
+	parts = strings.SplitN(auth, ":", 2)
+	clientID, err := url.PathUnescape(parts[0])
 	if err != nil {
-		return s.accessTokenError(c, "invalid_request",
-			"Invalid Authorization header", 400)
+		return s.accessTokenError(c, "invalid_client",
+			"Invalid Authorization header contents", 400)
 	}
-	z = strings.SplitN(string(idsec), ":", 2)
-	if len(z) != 2 {
-		return s.accessTokenError(c, "invalid_request",
-			"Invalid Authorization header", 400)
+	clientSecret, err := url.PathUnescape(parts[1])
+	if err != nil {
+		return s.accessTokenError(c, "invalid_client",
+			"Invalid Authorization header contents", 400)
 	}
-	clientID, clientSecret := z[0], z[1]
+
 	client, err := GetClientByID(c.Request().Context(), clientID)
 	if err != nil {
 		c.Response().Header().Set("WWW-Authenticate", "Basic")