From 2167edf1d98ec22ef2e0ece600b82d200a834397 Mon Sep 17 00:00:00 2001 From: Erick Torres Date: Fri, 16 Jun 2017 12:02:48 -0500 Subject: [PATCH] Validate codeVerifier and codeChallenge correctly. --- src/Grant/AuthCodeGrant.php | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index 7e64b416..5cfafdc8 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -134,6 +134,17 @@ class AuthCodeGrant extends AbstractAuthorizeGrant throw OAuthServerException::invalidRequest('code_verifier'); } + // Validate code_verifier according to RFC-7636 + // @see: https://tools.ietf.org/html/rfc7636#section-4.1 + $isValidCodeVerifier = (bool) preg_match('#[A-Za-z0-9\-|\.|\_|\~]{43,128}#', $codeVerifier); + + if ($isValidCodeVerifier === false) { + throw OAuthServerException::invalidRequest( + 'code_verifier', + 'Code Verifier must follow the specifications of RFC-7636.' + ); + } + switch ($authCodePayload->code_challenge_method) { case 'plain': if (hash_equals($codeVerifier, $authCodePayload->code_challenge) === false) { @@ -272,6 +283,17 @@ class AuthCodeGrant extends AbstractAuthorizeGrant ); } + // Validate code_challenge according to RFC-7636 + // @see: https://tools.ietf.org/html/rfc7636#section-4.2 + $isValidCodeChallenge = (bool) preg_match('#[A-Za-z0-9\-|\.|\_|\~]{43}#', $codeChallenge); + + if ($isValidCodeChallenge === false) { + throw OAuthServerException::invalidRequest( + 'code_challenged', + 'Code challenge must follow the specifications of RFC-7636.' + ); + } + $authorizationRequest->setCodeChallenge($codeChallenge); $authorizationRequest->setCodeChallengeMethod($codeChallengeMethod); }