fix: update code_verifier to use recommended method (#2620)

The [RFC](https://datatracker.ietf.org/doc/html/rfc7636#section-4.1) says that a code verifier just uses unreserved characters, but the recommended method is that it is a base64-urlencoded 32-octet url. Some implementations of PKCE (most notably the one used by salesforce) require that this is a valid base64 encoded string[1], so this patch switches to using the recommended approach to make it more compatible. [1]: https://help.salesforce.com/s/articleView?id=sf.remoteaccess_pkce.htm&type=5
2025-06-15 00:15:00 +02:00 · 2024-11-06 06:16:39 -08:00
parent 3ceef0cff4
commit 4e2013e6ba
4 changed files with 14 additions and 17 deletions
--- a/pkg/encryption/utils.go
+++ b/pkg/encryption/utils.go
@ -7,7 +7,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"hash"
-	"math/big"
+	"io"
 	"net/http"
 	"strconv"
 	"strings"
@ -83,17 +83,13 @@ func SignedValue(seed string, key string, value []byte, now time.Time) (string,
 	return cookieVal, nil
 }

-func GenerateRandomASCIIString(length int) (string, error) {
-	b := make([]byte, length)
-	charsetLen := new(big.Int).SetInt64(int64(len(asciiCharset)))
-	for i := range b {
-		character, err := rand.Int(rand.Reader, charsetLen)
-		if err != nil {
-			return "", err
-		}
-		b[i] = asciiCharset[character.Int64()]
+// GenerateCodeVerifierString returns a base64 encoded string of n random bytes
+func GenerateCodeVerifierString(n int) (string, error) {
+	data := make([]byte, n)
+	if _, err := io.ReadFull(rand.Reader, data); err != nil {
+		return "", err
 	}
-	return string(b), nil
+	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(data), nil
 }

 func GenerateCodeChallenge(method, codeVerifier string) (string, error) {