refactor randomNonce to secureRandomBase64(n) · alice.mosphere.at/indigo@96d8f47

+4 -4

atproto/auth/oauth/oauth.go

··· 237 237 Issuer: cfg.ClientID, 238 238 Subject: cfg.ClientID, 239 239 Audience: []string{authURL}, 240 - ID: randomNonce(), 240 + ID: secureRandomBase64(16), 241 241 IssuedAt: jwt.NewNumericDate(time.Now()), 242 242 }, 243 243 } ··· 261 261 HTTPMethod: httpMethod, 262 262 TargetURI: url, 263 263 RegisteredClaims: jwt.RegisteredClaims{ 264 - ID: randomNonce(), 264 + ID: secureRandomBase64(16), 265 265 IssuedAt: jwt.NewNumericDate(time.Now()), 266 266 ExpiresAt: jwt.NewNumericDate(time.Now().Add(JWT_EXPIRATION_DURATION)), 267 267 }, ··· 307 307 func (app *ClientApp) SendAuthRequest(ctx context.Context, authMeta *AuthServerMetadata, scope, loginHint string) (*AuthRequestData, error) { 308 308 309 309 parURL := authMeta.PushedAuthorizationRequestEndpoint 310 - state := randomNonce() 311 - pkceVerifier := fmt.Sprintf("%s%s%s", randomNonce(), randomNonce(), randomNonce()) 310 + state := secureRandomBase64(16) 311 + pkceVerifier := secureRandomBase64(48) 312 312 313 313 // generate PKCE code challenge for use in PAR request 314 314 codeChallenge := S256CodeChallenge(pkceVerifier)

+1 -1

atproto/auth/oauth/session.go

··· 178 178 AccessTokenHash: &ath, 179 179 RegisteredClaims: jwt.RegisteredClaims{ 180 180 Issuer: sess.Data.AuthServerURL, 181 - ID: randomNonce(), 181 + ID: secureRandomBase64(16), 182 182 IssuedAt: jwt.NewNumericDate(time.Now()), 183 183 ExpiresAt: jwt.NewNumericDate(time.Now().Add(JWT_EXPIRATION_DURATION)), 184 184 },

+3 -3

atproto/auth/oauth/util.go

··· 6 6 "encoding/base64" 7 7 ) 8 8 9 - // this generates pseudo-unique nonces to prevent token (JWT) replay. these do not need to be cryptographically resilient 10 - func randomNonce() string { 11 - buf := make([]byte, 16) 9 + // This is used both for PKCE challenges, and for pseudo-unique nonces to prevent token (JWT) replay. 10 + func secureRandomBase64(sizeBytes uint) string { 11 + buf := make([]byte, sizeBytes) 12 12 rand.Read(buf) 13 13 return base64.RawURLEncoding.EncodeToString(buf) 14 14 }

Configure Feed

Configure Feed