use verifyChallenge

This commit is contained in:
Kagami Sascha Rosylight 2023-05-27 15:19:55 +02:00
parent 9c29880f8b
commit c0f63234d7

View file

@ -12,6 +12,7 @@ import fastifyView from '@fastify/view';
import pug from 'pug'; import pug from 'pug';
import bodyParser from 'body-parser'; import bodyParser from 'body-parser';
import fastifyExpress from '@fastify/express'; import fastifyExpress from '@fastify/express';
import { verifyChallenge } from 'pkce-challenge';
import { secureRndstr } from '@/misc/secure-rndstr.js'; import { secureRndstr } from '@/misc/secure-rndstr.js';
import { MetaService } from '@/core/MetaService.js'; import { MetaService } from '@/core/MetaService.js';
import { HttpRequestService } from '@/core/HttpRequestService.js'; import { HttpRequestService } from '@/core/HttpRequestService.js';
@ -251,12 +252,6 @@ async function discoverClientInformation(httpRequestService: HttpRequestService,
// }; // };
// } // }
function pkceS256(codeVerifier: string): string {
return crypto.createHash('sha256')
.update(codeVerifier, 'ascii')
.digest('base64url');
}
type OmitFirstElement<T extends unknown[]> = T extends [unknown, ...(infer R)] type OmitFirstElement<T extends unknown[]> = T extends [unknown, ...(infer R)]
? R ? R
: []; : [];
@ -365,7 +360,8 @@ export class OAuth2ProviderService {
delete TEMP_GRANT_CODES[code]; delete TEMP_GRANT_CODES[code];
if (body.client_id !== granted.clientId) return [false]; if (body.client_id !== granted.clientId) return [false];
if (redirectUri !== granted.redirectUri) return [false]; if (redirectUri !== granted.redirectUri) return [false];
if (!body.code_verifier || pkceS256(body.code_verifier as string) !== granted.codeChallenge) return [false]; if (!body.code_verifier) return [false];
if (!(await verifyChallenge(body.code_verifier as string, granted.codeChallenge))) return [false];
const accessToken = secureRndstr(128, true); const accessToken = secureRndstr(128, true);