From 3ad6f2fac463d40b40befe03d3afd1304e0eb49f Mon Sep 17 00:00:00 2001 From: JackZhao10086 Date: Fri, 17 Apr 2026 16:29:04 +0800 Subject: [PATCH] Revert "Add client_secret to device authorization request (#517)" (#539) This reverts commit 663c24aadf7166ffb158270d25485b0d55d954b0. --- internal/auth/device_flow.go | 1 - internal/auth/device_flow_test.go | 30 ------------------------------ 2 files changed, 31 deletions(-) diff --git a/internal/auth/device_flow.go b/internal/auth/device_flow.go index 8f87a8af5..7d2c8ca41 100644 --- a/internal/auth/device_flow.go +++ b/internal/auth/device_flow.go @@ -79,7 +79,6 @@ func RequestDeviceAuthorization(httpClient *http.Client, appId, appSecret string form := url.Values{} form.Set("client_id", appId) - form.Set("client_secret", appSecret) form.Set("scope", scope) req, err := http.NewRequest("POST", endpoints.DeviceAuthorization, strings.NewReader(form.Encode())) diff --git a/internal/auth/device_flow_test.go b/internal/auth/device_flow_test.go index a795e79e2..5493220af 100644 --- a/internal/auth/device_flow_test.go +++ b/internal/auth/device_flow_test.go @@ -109,36 +109,6 @@ func TestFormatAuthCmdline_TruncatesExtraArgs(t *testing.T) { } } -// TestRequestDeviceAuthorization_ClientSecretInBody checks that client_secret is sent in the form body. -func TestRequestDeviceAuthorization_ClientSecretInBody(t *testing.T) { - reg := &httpmock.Registry{} - t.Cleanup(func() { reg.Verify(t) }) - - stub := &httpmock.Stub{ - Method: "POST", - URL: PathDeviceAuthorization, - Body: map[string]interface{}{ - "device_code": "dc", - "user_code": "uc", - "verification_uri": "https://example.com/verify", - "verification_uri_complete": "https://example.com/verify?code=123", - "expires_in": 240, - "interval": 5, - }, - } - reg.Register(stub) - - _, err := RequestDeviceAuthorization(httpmock.NewClient(reg), "cli_a", "secret_b", core.BrandFeishu, "", nil) - if err != nil { - t.Fatalf("RequestDeviceAuthorization() error: %v", err) - } - - body := string(stub.CapturedBody) - if !strings.Contains(body, "client_secret=secret_b") { - t.Errorf("expected client_secret in form body, got %q", body) - } -} - // TestLogAuthResponse_IgnoresTypedNilHTTPResponse tests that a typed nil HTTP response is ignored gracefully. func TestLogAuthResponse_IgnoresTypedNilHTTPResponse(t *testing.T) { var buf bytes.Buffer