From 1c69e618320b2fd83be4aed02cc1ebb50648e05f Mon Sep 17 00:00:00 2001 From: Mauro Amico Date: Fri, 7 Jun 2024 09:27:15 +0200 Subject: [PATCH] fix code_verifier length (#319) --- spid_cie_oidc/relying_party/utils.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/spid_cie_oidc/relying_party/utils.py b/spid_cie_oidc/relying_party/utils.py index cf93c141..5ab13932 100644 --- a/spid_cie_oidc/relying_party/utils.py +++ b/spid_cie_oidc/relying_party/utils.py @@ -2,9 +2,8 @@ import json import hashlib import logging -import os import random -import re +import secrets import string import urllib @@ -34,10 +33,11 @@ def random_string(n=32): def get_pkce(code_challenge_method: str = "S256", code_challenge_length: int = 64): hashers = {"S256": hashlib.sha256} - code_verifier_length = random.randint(43, 128) # nosec - B311 - code_verifier = base64.urlsafe_b64encode(os.urandom(code_verifier_length)).decode("utf-8") - code_verifier = re.sub("[^a-zA-Z0-9]+", "", code_verifier) - + # https://datatracker.ietf.org/doc/html/rfc7636#section-4.1 + code_verifier_length = secrets.choice(range(43, 128 + 1)) + alpha = string.ascii_letters + string.digits + "-._~" + code_verifier = "".join([secrets.choice(alpha) for _ in range(code_verifier_length)]) + code_challenge = hashers.get(code_challenge_method)( code_verifier.encode("utf-8") ).digest()