getRandomState only returns alphanumeric states

Before, this was using the default character set for RandomLib/Generator's generateString which is the base 64 character set that includes + and /. While / wasn't causing any problems, using + in a URL parameters (e.g. when the OAuth 2 server sends back the state), the + was getting interpretted as a space, which means when a straight string comparison to stored state was being done, it was returning false. This changes getRandomState to use the Generator::CHAR_ALNUM constant as its character set which solves this problem.
thephpleague · Jul 28, 2016 · 4e2e4fc · 4e2e4fc
1 parent 46052b5
commit 4e2e4fc
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/Provider/AbstractProvider.php b/src/Provider/AbstractProvider.php
@@ -27,6 +27,7 @@
 use Psr\Http\Message\RequestInterface;
 use Psr\Http\Message\ResponseInterface;
 use RandomLib\Factory as RandomFactory;
+use RandomLib\Generator as RandomGenerator;
 use UnexpectedValueException;
 
 /**
@@ -302,7 +303,7 @@ protected function getRandomState($length = 32)
             ->getRandomFactory()
             ->getMediumStrengthGenerator();
 
-        return $generator->generateString($length);
+        return $generator->generateString($length, RandomGenerator::CHAR_ALNUM);
     }
 
     /**
@@ -358,7 +359,7 @@ protected function getAuthorizationParameters(array $options)
         $options['client_id'] = $this->clientId;
         $options['redirect_uri'] = $this->redirectUri;
         $options['state'] = $this->state;
-        
+
         return $options;
     }