Describe the bug
The OAuth token endpoint is configured to accept both POST and GET methods:
# app/oauth/views/token.py line 13
@oauth_bp.route("/token", methods=["POST", "GET"])RFC 6749 Section 3.2 explicitly requires: "The client MUST use the "POST" method when making access token requests."
Accepting GET requests means that client_id, client_secret, and the authorization code are transmitted in the URL query string. This exposes highly sensitive credentials to web server access logs, proxy logs, browser history, and Referer headers.
Expected behavior
The token endpoint should strictly enforce the POST method to comply with the OAuth 2.0 specification and prevent credential leakage in logs:
@oauth_bp.route("/token", methods=["POST"])
Additional context
File: app/oauth/views/token.py line 13.
Describe the bug
The OAuth token endpoint is configured to accept both
POSTandGETmethods:RFC 6749 Section 3.2 explicitly requires: "The client MUST use the "POST" method when making access token requests."
Accepting GET requests means that client_id, client_secret, and the authorization code are transmitted in the URL query string. This exposes highly sensitive credentials to web server access logs, proxy logs, browser history, and Referer headers.
Expected behavior
The token endpoint should strictly enforce the POST method to comply with the OAuth 2.0 specification and prevent credential leakage in logs:
@oauth_bp.route("/token", methods=["POST"])Additional context
File: app/oauth/views/token.py line 13.