Make PKCE implementation compliant with RFC7636

This checks for the PKCE code_verifier length as well as the characters used. It also give better errors when the PKCE verifier is invalid. Fixes #316
2025-07-29 22:01:14 +03:00 · 2022-08-01 20:18:43 +02:00
parent 23360bc233
commit 372b32a780
5 changed files with 62 additions and 12 deletions
--- a/crates/data-model/src/lib.rs
+++ b/crates/data-model/src/lib.rs
@ -36,7 +36,7 @@ pub use self::{
    },
    oauth2::{
        AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, Client,
-        InvalidRedirectUriError, JwksOrJwksUri, Pkce, Session,
+        InvalidRedirectUriError, JwksOrJwksUri, Pkce, PkceVerificationError, Session,
    },
    tokens::{AccessToken, RefreshToken, TokenFormatError, TokenType},
    traits::{StorageBackend, StorageBackendMarker},
--- a/crates/data-model/src/oauth2/authorization_grant.rs
+++ b/crates/data-model/src/oauth2/authorization_grant.rs
@ -24,6 +24,21 @@ use url::Url;
 use super::{client::Client, session::Session};
 use crate::{traits::StorageBackend, StorageBackendMarker};

+#[derive(Debug, Error)]
+pub enum PkceVerificationError {
+    #[error("code_verifier should be at least 43 characters long")]
+    TooShort,
+
+    #[error("code_verifier should be at most 128 characters long")]
+    TooLong,
+
+    #[error("code_verifier contains invalid characters")]
+    InvalidCharacters,
+
+    #[error("challenge verification failed")]
+    VerificationFailed,
+}
+
 #[derive(Debug, Clone, PartialEq, Eq, Serialize)]
 pub struct Pkce {
    pub challenge_method: PkceCodeChallengeMethod,
@ -39,9 +54,27 @@ impl Pkce {
        }
    }

-    #[must_use]
-    pub fn verify(&self, verifier: &str) -> bool {
-        self.challenge_method.verify(&self.challenge, verifier)
+    pub fn verify(&self, verifier: &str) -> Result<(), PkceVerificationError> {
+        if verifier.len() < 43 {
+            return Err(PkceVerificationError::TooShort);
+        }
+
+        if verifier.len() > 43 {
+            return Err(PkceVerificationError::TooLong);
+        }
+
+        if verifier
+            .chars()
+            .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '.' || c == '_' || c == '~')
+        {
+            return Err(PkceVerificationError::InvalidCharacters);
+        }
+
+        if !self.challenge_method.verify(&self.challenge, verifier) {
+            return Err(PkceVerificationError::VerificationFailed);
+        }
+
+        Ok(())
    }
 }

--- a/crates/data-model/src/oauth2/mod.rs
+++ b/crates/data-model/src/oauth2/mod.rs
@ -17,7 +17,9 @@ pub(self) mod client;
 pub(self) mod session;

 pub use self::{
-    authorization_grant::{AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, Pkce},
+    authorization_grant::{
+        AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, Pkce, PkceVerificationError,
+    },
    client::{Client, InvalidRedirectUriError, JwksOrJwksUri},
    session::Session,
 };