From 1f580f0d8a4328e0fb515eaa16a865384cf02c44 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Tue, 3 Feb 2026 14:55:00 +0800
Subject: [PATCH] Adjust OAuth grant validation limits (no code changes yet)
 (#3261)

* Initial plan

* Increase OAuth state limit

Co-authored-by: HFO4 <16058869+HFO4@users.noreply.github.com>

* Default PKCE method when missing

Co-authored-by: HFO4 <16058869+HFO4@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: HFO4 <16058869+HFO4@users.noreply.github.com>
---
 service/oauth/oauth.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/service/oauth/oauth.go b/service/oauth/oauth.go
index 719c7339..dcf56f2b 100644
--- a/service/oauth/oauth.go
+++ b/service/oauth/oauth.go
@@ -48,10 +48,10 @@ type (
 		ClientID            string `json:"client_id" binding:"required"`
 		ResponseType        string `json:"response_type" binding:"required,eq=code"`
 		RedirectURI         string `json:"redirect_uri" binding:"required"`
-		State               string `json:"state" binding:"max=255"`
+		State               string `json:"state" binding:"max=4096"`
 		Scope               string `json:"scope" binding:"required"`
 		CodeChallenge       string `json:"code_challenge" binding:"max=255"`
-		CodeChallengeMethod string `json:"code_challenge_method" binding:"eq=S256,omitempty"`
+		CodeChallengeMethod string `json:"code_challenge_method" binding:"omitempty,eq=S256"`
 	}
 )
 
@@ -60,6 +60,9 @@ func (s *GrantService) Get(c *gin.Context) (*GrantResponse, error) {
 	user := inventory.UserFromContext(c)
 	kv := dep.KV()
 	oAuthClient := dep.OAuthClientClient()
+	if s.CodeChallenge != "" && s.CodeChallengeMethod == "" {
+		s.CodeChallengeMethod = "S256"
+	}
 
 	// 1. Get app registration and grant
 	app, err := oAuthClient.GetByGUIDWithGrants(c, s.ClientID, user.ID)