Skip to content

Commit

Permalink
Fixed verifier hash (#29)
Browse files Browse the repository at this point in the history
  • Loading branch information
@oxisto
oxisto authored Mar 3, 2022
1 parent 5c11a35 commit 95c1c63
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 8 deletions.
3 changes: 2 additions & 1 deletion .vscode/launch.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@
"program": "${workspaceFolder}/cmd/server/server.go",
"args": [
"-port=8000",
"-client-secret=secret"
"-client-secret=secret",
"-redirect-uri=http://localhost:3000/callback"
]
}
]
Expand Down
4 changes: 1 addition & 3 deletions integration_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ package oauth2_test

import (
"context"
"crypto/sha256"
"encoding/base64"
"fmt"
"log"
"net"
Expand Down Expand Up @@ -97,7 +95,7 @@ func TestThreeLeggedFlowPublicClient(t *testing.T) {

// create a challenge and verifier
verifier = "012345678901234567890123456789012345678901234567890123456789"
challenge = base64.URLEncoding.EncodeToString(sha256.New().Sum([]byte(verifier)))
challenge = oauth2.GenerateCodeChallenge(verifier)

// Let's pretend to be a browser
res, err = http.Get(config.AuthCodeURL("some-state",
Expand Down
11 changes: 10 additions & 1 deletion server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,8 @@ func (srv *AuthorizationServer) doAuthorizationCodeFlow(w http.ResponseWriter, r
client *Client
)

w.Header().Add("Access-Control-Allow-Origin", "*")

// Retrieve the client
client, err = srv.retrieveClient(r, true)
if err != nil {
Expand Down Expand Up @@ -299,8 +301,10 @@ func (srv *AuthorizationServer) ValidateCode(verifier string, code string) bool
return false
}

var challenge = GenerateCodeChallenge(verifier)

// Check, if we need to check for a challenge
if info.challenge != "" && subtle.ConstantTimeCompare([]byte(base64.URLEncoding.EncodeToString(sha256.New().Sum([]byte(verifier)))), []byte(info.challenge)) == 0 {
if info.challenge != "" && subtle.ConstantTimeCompare([]byte(challenge), []byte(info.challenge)) == 0 {
return false
}

Expand Down Expand Up @@ -387,3 +391,8 @@ func generateToken(clientID string,

return
}

func GenerateCodeChallenge(verifier string) string {
var digest = sha256.Sum256([]byte(verifier))
return base64.RawURLEncoding.EncodeToString(digest[:])
}
4 changes: 1 addition & 3 deletions server_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,6 @@ package oauth2
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/sha256"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
Expand Down Expand Up @@ -50,7 +48,7 @@ var mockSigningKey = ecdsa.PrivateKey{
}

var testVerifier = "012345678901234567890123456789012345678901234567890123456789"
var testChallenge = base64.URLEncoding.EncodeToString(sha256.New().Sum([]byte(testVerifier)))
var testChallenge = GenerateCodeChallenge(testVerifier)

func TestAuthorizationServer_handleToken(t *testing.T) {
type fields struct {
Expand Down

0 comments on commit 95c1c63

Please sign in to comment.