feat(security): add PKCE support#49
Conversation
|
Oh, also, I added base64url-js verbatim from: https://github.com/supabase-community/base64url-js This is the intended distribution method for that bit of code. However, there may be a more desirable way to do this. Let me know what you think. |
|
@jacobsandersen Great to see this PR! Regarding the base64 library, I wonder if TextEncoder could be used instead. I see base64url-js says it only works in browsers but the MDN Docs say it's been supported in browsers and node for a while. |
Good call. I'll take a look and see if I can use that instead. |
jacobsandersen
force-pushed
the
feat/pkce
branch
2 times, most recently
from
eefb315 to
87187a9
Compare
|
note: I noticed I had inadvertently changed some other parts of the code (probably by trying to run tests, which runs lint), which was not intentional. I reverted any changes that are not specific to adding PKCE and force pushed the first commit before I keep working on other items. |
TextEncoder only encodes to UTF8. However, upon checking |
|
Thanks so much for the PR! The code looks good to me, and definitely an important feature which this library should support :) I'll see if I can fix the issues with the tests and get a new release up soon |
closes Login error about missing code_challenge parameter on site requiring PKCE Fixes #140 depends on grantcodes/micropub#49
grantcodes
left a comment
grantcodes
left a comment
There was a problem hiding this comment.
This is looking really good thanks! Just had a few notes:
- We'll need to update the documentation to include the pkce info
- I've fixed issues with the tests, so can you pull in latest
mainbranch to get them to work?
…de verifier functionality to getToken; add tests
…st for base64url code; update pkce generation
…he global namespace
jacobsandersen
force-pushed
the
feat/pkce
branch
from
b816ad4 to
0ec166e
Compare
|
Rebased to main |
… `+` instead of just the first
…h URL method; add code verifier to options and use it automatically if it exists
|
Tests are working! Thanks @grantcodes I've made the If using PKCE (default), the I don't know if you actually want to keep the ability to not use PKCE, since it has been part of the spec since Sept 2020. But, erring on the side of compatibility, I've kept that in. If you want to remove it, we can do that. |
aciccarello
left a comment
aciccarello
left a comment
There was a problem hiding this comment.
Noticed an issue while testing this out in Omnibear. The API looks good though 👍
|
@aciccarello: I updated the code to call the setter now - can you try it again and let me know? Thanks! |
aciccarello
left a comment
aciccarello
left a comment
There was a problem hiding this comment.
Confirmed this works in Omnibear!
|
Hi @grantcodes! Anything remaining to be done here? |
add pkce support Fixes #140 Uses grantcodes/micropub#49 via a fork Fix: avoid removing tab before sending message
3 participants
This PR intends to add PKCE support to this library
To do so, it adds a new function
getAuthUrlPkce()which first calls the originalgetAuthUrl(), then it calls a new functiongeneratePkceParameters()(see below) which generates random parameters usable for PKCE. It appends the PKCE parameters to the auth URL and then returns the URL as well as the code verifier to use later during code exchange.The
generatePkceParameters()function creates a random string for the code verifier using the web crypto API, then hashes it with SHA256 to create the challenge. It returns both values. Since it uses SHA256, this will only support the S256 code_challenge_method.As mentioned before, the code_challenge and code_challenge_method parameters are then added to the standard auth url which should satisfy auth servers requiring PKCE. The caller is provided the
codeVerifiervalue to use after receiving an authorization code.To use the
codeVerifier, I've modified thegetToken()function to add an optional parametercodeVerifierwhich defaults to undefined for backwards compatibility. If the user wants to use PKCE, they can modify theirgetTokencall fromgetToken(code)togetToken(code, codeVerifier). The authorization server will hash thecodeVerifieron its side with SHA-256 and compare to the previously provided code challenge. If all is well, the auth server will return a token as usual with PKCE satisfied.I've added some tests, but I can't get any tests to run on my side. Not sure why - there is some sort of misconfiguration. I'll write back if I can get it working. Otherwise, before merging, please make sure the tests are good!!
If accepted, this will close #47.
Thank you!