better challenge validation

thegrumpylion · thegrumpylion · commit 7b9faad50f52 · 2020-12-20T12:31:21.000+02:00
- removing padding before comparing base64(sha256) results
- plaintest string to 43 chars
diff --git a/const.go b/const.go
@@ -3,6 +3,7 @@ package oauth2
 import (
 	"crypto/sha256"
 	"encoding/base64"
+	"strings"
 )
 
 // ResponseType the type of authorization request
@@ -65,7 +66,10 @@ func (ccm CodeChallengeMethod) Validate(cc, ver string) bool {
 		return cc == ver
 	case CodeChallengeS256:
 		s256 := sha256.Sum256([]byte(ver))
-		return base64.URLEncoding.EncodeToString(s256[:]) == cc
+		// trim padding
+		a := strings.TrimRight(base64.URLEncoding.EncodeToString(s256[:]), "=")
+		b := strings.TrimRight(cc, "=")
+		return a == b
 	default:
 		return false
 	}
diff --git a/const_test.go b/const_test.go
@@ -19,3 +19,10 @@ func TestValidateS256(t *testing.T) {
 		t.Fatal("not valid")
 	}
 }
+
+func TestValidateS256NoPadding(t *testing.T) {
+	cc := oauth2.CodeChallengeS256
+	if !cc.Validate("W6YWc_4yHwYN-cGDgGmOMHF3l7KDy7VcRjf7q2FVF-o", "s256test") {
+		t.Fatal("not valid")
+	}
+}
diff --git a/server/server_test.go b/server/server_test.go
@@ -24,7 +24,7 @@ var (
 	clientID     = "111111"
 	clientSecret = "11111111"
 
-	plainChallenge = "plaintest"
+	plainChallenge = "ThisIsAFourtyThreeCharactersLongStringThing"
 	s256Challenge  = "s256test"
 	// echo s256test | sha256 | base64 | tr '/+' '_-'
 	s256ChallengeHash = "W6YWc_4yHwYN-cGDgGmOMHF3l7KDy7VcRjf7q2FVF-o="

Original file line number	Diff line number	Diff line change
`@@ -19,3 +19,10 @@ func TestValidateS256(t *testing.T) {`
`19`	`19`	`t.Fatal("not valid")`
`20`	`20`	`}`
`21`	`21`	`}`
	`22`	`+`
	`23`	`+func TestValidateS256NoPadding(t *testing.T) {`
	`24`	`+ cc := oauth2.CodeChallengeS256`
	`25`	`+ if !cc.Validate("W6YWc_4yHwYN-cGDgGmOMHF3l7KDy7VcRjf7q2FVF-o", "s256test") {`
	`26`	`+ t.Fatal("not valid")`
	`27`	`+ }`
	`28`	`+}`