From 95c1c63dece2a81d9df32146957ea40740a6fe8b Mon Sep 17 00:00:00 2001
From: Christian Banse <oxisto@aybaze.com>
Date: Thu, 3 Mar 2022 19:54:08 +0100
Subject: [PATCH] Fixed verifier hash (#29)

---
 .vscode/launch.json |  3 ++-
 integration_test.go |  4 +---
 server.go           | 11 ++++++++++-
 server_test.go      |  4 +---
 4 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/.vscode/launch.json b/.vscode/launch.json
index b877b79..ff91e98 100644
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -19,7 +19,8 @@
             "program": "${workspaceFolder}/cmd/server/server.go",
             "args": [
                 "-port=8000",
-                "-client-secret=secret"
+                "-client-secret=secret",
+                "-redirect-uri=http://localhost:3000/callback"
             ]
         }
     ]
diff --git a/integration_test.go b/integration_test.go
index d0dd2e6..178e342 100644
--- a/integration_test.go
+++ b/integration_test.go
@@ -2,8 +2,6 @@ package oauth2_test
 
 import (
 	"context"
-	"crypto/sha256"
-	"encoding/base64"
 	"fmt"
 	"log"
 	"net"
@@ -97,7 +95,7 @@ func TestThreeLeggedFlowPublicClient(t *testing.T) {
 
 	// create a challenge and verifier
 	verifier = "012345678901234567890123456789012345678901234567890123456789"
-	challenge = base64.URLEncoding.EncodeToString(sha256.New().Sum([]byte(verifier)))
+	challenge = oauth2.GenerateCodeChallenge(verifier)
 
 	// Let's pretend to be a browser
 	res, err = http.Get(config.AuthCodeURL("some-state",
diff --git a/server.go b/server.go
index d42de95..e5fe985 100644
--- a/server.go
+++ b/server.go
@@ -169,6 +169,8 @@ func (srv *AuthorizationServer) doAuthorizationCodeFlow(w http.ResponseWriter, r
 		client   *Client
 	)
 
+	w.Header().Add("Access-Control-Allow-Origin", "*")
+
 	// Retrieve the client
 	client, err = srv.retrieveClient(r, true)
 	if err != nil {
@@ -299,8 +301,10 @@ func (srv *AuthorizationServer) ValidateCode(verifier string, code string) bool
 		return false
 	}
 
+	var challenge = GenerateCodeChallenge(verifier)
+
 	// Check, if we need to check for a challenge
-	if info.challenge != "" && subtle.ConstantTimeCompare([]byte(base64.URLEncoding.EncodeToString(sha256.New().Sum([]byte(verifier)))), []byte(info.challenge)) == 0 {
+	if info.challenge != "" && subtle.ConstantTimeCompare([]byte(challenge), []byte(info.challenge)) == 0 {
 		return false
 	}
 
@@ -387,3 +391,8 @@ func generateToken(clientID string,
 
 	return
 }
+
+func GenerateCodeChallenge(verifier string) string {
+	var digest = sha256.Sum256([]byte(verifier))
+	return base64.RawURLEncoding.EncodeToString(digest[:])
+}
diff --git a/server_test.go b/server_test.go
index da3262f..9d2f76e 100644
--- a/server_test.go
+++ b/server_test.go
@@ -3,8 +3,6 @@ package oauth2
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	"crypto/sha256"
-	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -50,7 +48,7 @@ var mockSigningKey = ecdsa.PrivateKey{
 }
 
 var testVerifier = "012345678901234567890123456789012345678901234567890123456789"
-var testChallenge = base64.URLEncoding.EncodeToString(sha256.New().Sum([]byte(testVerifier)))
+var testChallenge = GenerateCodeChallenge(testVerifier)
 
 func TestAuthorizationServer_handleToken(t *testing.T) {
 	type fields struct {