From 15ac6acb191082a768e4a1750f9eec2fe6936e33 Mon Sep 17 00:00:00 2001
From: Jonas Myrlund <388633+myrlund@users.noreply.github.com>
Date: Tue, 16 Sep 2025 22:43:18 +0200
Subject: [PATCH 1/2] Support not passing secret for public PKCE

---
 src/server/oauth/callback.ts | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/server/oauth/callback.ts b/src/server/oauth/callback.ts
index 3cbe42d..5c2e7ce 100644
--- a/src/server/oauth/callback.ts
+++ b/src/server/oauth/callback.ts
@@ -87,6 +87,10 @@ export async function handleOAuth(
         },
       });
       break;
+    case "none":
+      // Public client: no client authentication on the token endpoint.
+      clientAuth = (_as, _client, _body, _headers) => {};
+      break;
     default:
       throw new Error("unsupported client authentication method");
   }
@@ -135,8 +139,16 @@ export async function handleOAuth(
       // TODO: move away from allowing insecure HTTP requests
       [o.allowInsecureRequests]: true,
       [o.customFetch]: (...args) => {
+        const [url, init] = args;
+        // Drop code_verifier if PKCE not used (existing behavior)
         if (!provider.checks.includes("pkce")) {
-          args[1].body.delete("code_verifier");
+          init?.body?.delete?.("code_verifier");
+        }
+        // Lichess public client: add client_id to token request body
+        if (String(url) === as.token_endpoint && client.token_endpoint_auth_method === "none") {
+          const body = init?.body;
+          // oauth4webapi uses URLSearchParams here, so we can safely set()
+          body?.set?.("client_id", String(client.client_id));
         }
         return fetchOpt(provider)[o.customFetch](...args);
       },

From a485055679fe4afeabd17d5360afe3d8711a5846 Mon Sep 17 00:00:00 2001
From: Jonas Myrlund <388633+myrlund@users.noreply.github.com>
Date: Tue, 16 Sep 2025 23:16:16 +0200
Subject: [PATCH 2/2] Remove second patch

---
 src/server/oauth/callback.ts | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/src/server/oauth/callback.ts b/src/server/oauth/callback.ts
index 5c2e7ce..200b21d 100644
--- a/src/server/oauth/callback.ts
+++ b/src/server/oauth/callback.ts
@@ -139,16 +139,8 @@ export async function handleOAuth(
       // TODO: move away from allowing insecure HTTP requests
       [o.allowInsecureRequests]: true,
       [o.customFetch]: (...args) => {
-        const [url, init] = args;
-        // Drop code_verifier if PKCE not used (existing behavior)
         if (!provider.checks.includes("pkce")) {
-          init?.body?.delete?.("code_verifier");
-        }
-        // Lichess public client: add client_id to token request body
-        if (String(url) === as.token_endpoint && client.token_endpoint_auth_method === "none") {
-          const body = init?.body;
-          // oauth4webapi uses URLSearchParams here, so we can safely set()
-          body?.set?.("client_id", String(client.client_id));
+          args[1].body.delete("code_verifier");
         }
         return fetchOpt(provider)[o.customFetch](...args);
       },