gazagnaire.org / ocaml-oauth
OAuth 2.0 authorization and token exchange
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Use eqaf for constant-time state comparison; fix SCITT doc wording

Replace hand-rolled constant-time string comparison in OAuth
validate_state with Eqaf.equal, and guard against empty state strings.
Fix misleading "most recent" wording in SCITT params doc.

Thomas Gazagnaire 4a9447b6 5022c165

+12 -11
+11 -1
lib/dune
··· 1 1 (library 2 2 (name oauth) 3 3 (public_name oauth) 4 - (libraries uri jsont jsont.bytesrw crypto-rng digestif base64 fmt ohex logs)) 4 + (libraries 5 + uri 6 + jsont 7 + jsont.bytesrw 8 + crypto-rng 9 + digestif 10 + base64 11 + eqaf 12 + fmt 13 + ohex 14 + logs))
+1 -10
lib/oauth.ml
··· 170 170 let generate_state () = Ohex.encode (Crypto_rng.generate 32) 171 171 172 172 let validate_state ~expected ~actual = 173 - let len_e = String.length expected in 174 - let len_a = String.length actual in 175 - let len = max len_e len_a in 176 - let result = ref (len_e lxor len_a) in 177 - for i = 0 to len - 1 do 178 - let c_e = if i < len_e then Char.code expected.[i] else 0 in 179 - let c_a = if i < len_a then Char.code actual.[i] else 0 in 180 - result := !result lor (c_e lxor c_a) 181 - done; 182 - !result = 0 173 + String.length expected > 0 && Eqaf.equal expected actual 183 174 184 175 (* ── PKCE (RFC 7636) ─────────────────────────────────────────────── *) 185 176