OpenStackweb · mulldug · May 13, 2026 · smarcet · May 13, 2026 · smarcet
diff --git a/app/Http/Middleware/OAuth2BearerAccessTokenRequestValidator.php b/app/Http/Middleware/OAuth2BearerAccessTokenRequestValidator.php
@@ -171,9 +171,13 @@ public function handle($request, Closure $next)
                 );
                 throw new InvalidGrantTypeException(OAuth2Protocol::OAuth2Protocol_Error_InvalidToken);
             }
+            $allowedOrigins = array_filter(array_map(
+                fn($o) => rtrim(trim($o), '/'),
+                explode(' ', $token_info->getAllowedOrigins() ?? '')
+            ));
             if (
                 $token_info->getApplicationType() === 'JS_CLIENT'
-                && (is_null($origin) || empty($origin)|| str_contains($token_info->getAllowedOrigins(), $origin) === false )
+                && (is_null($origin) || empty($origin) || !in_array(rtrim($origin, '/'), $allowedOrigins, true))
             ) {
                 //check origins
                 throw new OAuth2ResourceServerException(