fix: write device_code expiration in session

ory · Jan 24, 2025 · b77efc3 · b77efc3
1 parent 1f15315
commit b77efc3
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/handler/rfc8628/auth_handler.go b/handler/rfc8628/auth_handler.go
@@ -55,6 +55,7 @@ func (d *DeviceAuthHandler) handleDeviceAuthSession(ctx context.Context, dar fos
 	}
 
 	dar.GetSession().SetExpiresAt(fosite.UserCode, time.Now().UTC().Add(d.Config.GetDeviceAndUserCodeLifespan(ctx)).Round(time.Second))
+	dar.GetSession().SetExpiresAt(fosite.DeviceCode, time.Now().UTC().Add(d.Config.GetDeviceAndUserCodeLifespan(ctx)).Round(time.Second))
 	// Note: the retries are added here because we need to ensure uniqueness of user codes.
 	// The chances of duplicates should however be diminishing, because they are the same
 	// chance an attacker will be able to hit a valid code with few guesses. However, as