From 42889149638bac446f964abf5d4e96669d50e39f Mon Sep 17 00:00:00 2001
From: Ricky <42919858+flux-ricky@users.noreply.github.com>
Date: Fri, 9 Aug 2024 18:14:15 +1200
Subject: [PATCH] POST to https://www.googleapis.com/oauth2/v3/tokeninfo intead
 of GET (#457)

To avoid leaking access tokens in logs or traces from the client
application.
---
 lib/omniauth/strategies/google_oauth2.rb       | 2 +-
 spec/omniauth/strategies/google_oauth2_spec.rb | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/omniauth/strategies/google_oauth2.rb b/lib/omniauth/strategies/google_oauth2.rb
index c6c103a..9acda88 100644
--- a/lib/omniauth/strategies/google_oauth2.rb
+++ b/lib/omniauth/strategies/google_oauth2.rb
@@ -231,7 +231,7 @@ def token_info(access_token)
         return nil unless access_token
 
         @token_info ||= Hash.new do |h, k|
-          h[k] = client.request(:get, 'https://www.googleapis.com/oauth2/v3/tokeninfo', params: { access_token: access_token }).parsed
+          h[k] = client.request(:post, 'https://www.googleapis.com/oauth2/v3/tokeninfo', body: { access_token: access_token }).parsed
         end
 
         @token_info[access_token]
diff --git a/spec/omniauth/strategies/google_oauth2_spec.rb b/spec/omniauth/strategies/google_oauth2_spec.rb
index 91d7ea4..ed9c663 100644
--- a/spec/omniauth/strategies/google_oauth2_spec.rb
+++ b/spec/omniauth/strategies/google_oauth2_spec.rb
@@ -384,7 +384,7 @@
       subject.options.client_options[:connection_build] = proc do |builder|
         builder.request :url_encoded
         builder.adapter :test do |stub|
-          stub.get('/oauth2/v3/tokeninfo?access_token=valid_access_token') do
+          stub.post('/oauth2/v3/tokeninfo', 'access_token=valid_access_token') do
             [200, { 'Content-Type' => 'application/json; charset=UTF-8' }, JSON.dump(
               aud: '000000000000.apps.googleusercontent.com',
               sub: '123456789',
@@ -781,7 +781,7 @@
       subject.options.client_options[:connection_build] = proc do |builder|
         builder.request :url_encoded
         builder.adapter :test do |stub|
-          stub.get('/oauth2/v3/tokeninfo?access_token=valid_access_token') do
+          stub.post('/oauth2/v3/tokeninfo', 'access_token=valid_access_token') do
             [200, { 'Content-Type' => 'application/json; charset=UTF-8' }, JSON.dump(
               aud: '000000000000.apps.googleusercontent.com',
               sub: '123456789',
@@ -792,7 +792,7 @@
               expires_in: 436
             )]
           end
-          stub.get('/oauth2/v3/tokeninfo?access_token=invalid_access_token') do
+          stub.post('/oauth2/v3/tokeninfo', 'access_token=invalid_access_token') do
             [400, { 'Content-Type' => 'application/json; charset=UTF-8' }, JSON.dump(error_description: 'Invalid Value')]
           end
         end