From 0b74d3b1ad9662ea63d892251afdb21f1e39c4a6 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Fri, 15 Jul 2022 11:27:11 +0200
Subject: [PATCH] idp_oidc: adapt error message for expired codes (#67277)

---
 src/authentic2_idp_oidc/views.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/authentic2_idp_oidc/views.py b/src/authentic2_idp_oidc/views.py
index 81e058ea..9625fd75 100644
--- a/src/authentic2_idp_oidc/views.py
+++ b/src/authentic2_idp_oidc/views.py
@@ -732,12 +732,13 @@ def tokens_from_authz_code(request):
     code = request.POST.get('code')
     if not code:
         raise MissingParameter('code', client=client)
+    oidc_code_qs = models.OIDCCode.objects.filter(expired__gte=now()).select_related()
     try:
-        oidc_code = models.OIDCCode.objects.select_related().get(uuid=code)
+        oidc_code = oidc_code_qs.get(uuid=code)
     except models.OIDCCode.DoesNotExist:
-        raise InvalidGrant(_('Code is unknown.'), client=client)
+        raise InvalidGrant(_('Code is unknown or has expired.'), client=client)
     if not oidc_code.is_valid():
-        raise InvalidGrant(_('Code has expired, user is disconnected or session was lost.'), client=client)
+        raise InvalidGrant(_('User is disconnected or session was lost.'), client=client)
     redirect_uri = request.POST.get('redirect_uri')
     if oidc_code.redirect_uri != redirect_uri:
         raise InvalidGrant(_('Redirect_uri does not match the code.'), client=client)
-- 
2.35.1