{
    "id": "S047",
    "name": "Protect OAuth code flow against CSRF attacks",
    "description": "Implement PKCE (Proof Key for Code Exchange) or state parameter validation to protect OAuth authorization code flow against CSRF attacks. Required for public clients, recommended for confidential clients.",
    "category": "security",
    "severity": "high",
    "enabled": true,
    "engines": ["heuristic"],
    "enginePreference": ["heuristic"],
    "tags": ["security", "oauth", "pkce", "csrf", "authorization"],
    "examples": {
        "valid": [
            "// PKCE implementation",
            "const codeVerifier = crypto.randomBytes(32).toString('base64url');",
            "const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');",
            "// State parameter",
            "const state = crypto.randomBytes(32).toString('hex');"
        ],
        "invalid": [
            "// No PKCE or state parameter",
            "const authUrl = `${authServer}/authorize?client_id=${clientId}&redirect_uri=${redirectUri}`;",
            "// Static state value",
            "const state = 'fixed-state-value';"
        ]
    },
    "fixable": false,
    "docs": {
        "description": "This rule ensures OAuth authorization code flow is protected against CSRF attacks using PKCE or state parameter. PKCE is mandatory for public clients (SPAs, mobile apps). Both code_challenge and code_verifier must be cryptographically random. State parameter must be unique per request and validated on callback.",
        "url": "https://datatracker.ietf.org/doc/html/rfc7636"
    }
}
