client_secret and code_verifier are accepted when sent as parameters in query string

Request.client_secret should be checked for presence in headers or body and Request.code_verifier just in body but not query string as it is sensitive data.
Addition checks might be done, such as request type is POST and data was sent using HTTPS.

When client_secret or code_verifier is sent in query string it should result in Bad Request, enforcing client to send data securely.