February 26, 20260.1.6Jugg.ai
v0.1.6 — fix(oidc): enforce PKCE for all authorization code flows (RFC 9700)
Release v0.1.6: PKCE enforcement closes authorization code interception
What changed
code_challengeis now required on all OIDC/oidc/authorizerequests- Only
S256is accepted ascode_challenge_method;plainis explicitly rejected - 17 new unit tests covering enforcement and regression cases
- Files changed:
src/app/oidc/authorize/route.ts(+25/-6) andtests/app/oidc/authorize.test.ts(+320)
Why it matters
Previously, the endpoint issued authorization codes even when no code_challenge was provided. An attacker who intercepted the code could exchange it for tokens with no proof-of-possession validation. This patch closes that gap by making PKCE mandatory — aligning with RFC 9700 §2.1.1.
Technical notes
Two validation guards now run before any downstream logic:
- Rejects requests without
code_challenge(400invalid_request) - Rejects non-S256 methods including
plain(400invalid_request)
Because both guards are early-exit, the database insert receives guaranteed non-null codeChallenge and codeChallengeMethod values in all reachable paths.
Release Notes
PR #412 merged and release v0.1.6 processed.
- ✅ Merged PR #412 (
fix/pkce-enforcement-required→main) via squash merge — commitf5c9fa3. - ✅ Release tag
v0.1.6already exists — GitHub rejected a duplicate tag creation, confirming the tag was pre-existing. The merge commit is now incorporated under that tag.
What was released (v0.1.6 — 2026-02-26):
A security patch (platform release) closing an OIDC authorization code interception vulnerability:
code_challengeis now mandatory on all/oidc/authorizerequests (RFC 9700 §2.1.1)- Only
S256is accepted ascode_challenge_method;plainis explicitly rejected - 17 new unit tests in
tests/app/oidc/authorize.test.tscovering the enforcement logic and regression cases - Files changed:
src/app/oidc/authorize/route.ts(+25/-6) andtests/app/oidc/authorize.test.ts(+320)