matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-29 22:01:14 +03:00
Code Activity

Move the PKCE validation logic to oauth2-types

Browse Source
This commit is contained in:
Quentin Gliech
2022-08-03 10:37:08 +02:00
parent f7361f871e
commit 649e5cd645
5 changed files with 117 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crates/data-model/src/lib.rs
View File

@ -36,7 +36,7 @@ pub use self::{
},
oauth2::{
AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, Client,
InvalidRedirectUriError, JwksOrJwksUri, Pkce, PkceVerificationError, Session,
InvalidRedirectUriError, JwksOrJwksUri, Pkce, Session,
},
tokens::{AccessToken, RefreshToken, TokenFormatError, TokenType},
traits::{StorageBackend, StorageBackendMarker},

82
crates/data-model/src/oauth2/authorization_grant.rs
View File

@ -16,7 +16,10 @@ use std::num::NonZeroU32;
use chrono::{DateTime, Duration, Utc};
use mas_iana::oauth::PkceCodeChallengeMethod;
use oauth2_types::{pkce::CodeChallengeMethodExt, requests::ResponseMode};
use oauth2_types::{
pkce::{CodeChallengeError, CodeChallengeMethodExt},
requests::ResponseMode,
};
use serde::Serialize;
use thiserror::Error;
use url::Url;
@ -24,21 +27,6 @@ use url::Url;
use super::{client::Client, session::Session};
use crate::{traits::StorageBackend, StorageBackendMarker};
#[derive(Debug, Error, PartialEq)]
pub enum PkceVerificationError {
#[error("code_verifier should be at least 43 characters long")]
TooShort,
#[error("code_verifier should be at most 128 characters long")]
TooLong,
#[error("code_verifier contains invalid characters")]
InvalidCharacters,
#[error("challenge verification failed")]
VerificationFailed,
}
#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
pub struct Pkce {
pub challenge_method: PkceCodeChallengeMethod,
@ -54,27 +42,8 @@ impl Pkce {
}
}
pub fn verify(&self, verifier: &str) -> Result<(), PkceVerificationError> {
if verifier.len() < 43 {
return Err(PkceVerificationError::TooShort);
}
if verifier.len() > 128 {
return Err(PkceVerificationError::TooLong);
}
if !verifier
.chars()
.all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '.' || c == '_' || c == '~')
{
return Err(PkceVerificationError::InvalidCharacters);
}
if !self.challenge_method.verify(&self.challenge, verifier) {
return Err(PkceVerificationError::VerificationFailed);
}
Ok(())
pub fn verify(&self, verifier: &str) -> Result<(), CodeChallengeError> {
self.challenge_method.verify(&self.challenge, verifier)
}
}
@ -238,42 +207,3 @@ impl<T: StorageBackend> AuthorizationGrant<T> {
self.created_at - Duration::seconds(max_age.unwrap_or(3600 * 24 * 365))
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_pkce_verification() {
// This challenge is taken from the RFC7636 appendices
let pkce = Pkce::new(
PkceCodeChallengeMethod::S256,
"E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM".to_string(),
);
assert_eq!(
pkce.verify("dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"),
Ok(()),
);
assert_eq!(
pkce.verify("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"),
Err(PkceVerificationError::VerificationFailed),
);
assert_eq!(
pkce.verify("tooshort"),
Err(PkceVerificationError::TooShort),
);
assert_eq!(
pkce.verify("toolongtoolongtoolongtoolongtoolongtoolongtoolongtoolongtoolongtoolongtoolongtoolongtoolongtoolongtoolongtoolongtoolongtoolongtoolong"),
Err(PkceVerificationError::TooLong),
);
assert_eq!(
pkce.verify("this is long enough but has invalid characters in it"),
Err(PkceVerificationError::InvalidCharacters),
);
}
}

4
crates/data-model/src/oauth2/mod.rs
View File

@ -17,9 +17,7 @@ pub(self) mod client;
pub(self) mod session;
pub use self::{
authorization_grant::{
AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, Pkce, PkceVerificationError,
},
authorization_grant::{AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, Pkce},
client::{Client, InvalidRedirectUriError, JwksOrJwksUri},
session::Session,
};