Merge branch 'bugfix/oauth-token-padding' into 'develop'

oauth: never use base64 padding when returning tokens to applications

See merge request pleroma/pleroma!825
This commit is contained in:
lambda 2019-02-15 14:58:13 +00:00
commit 1ce1b7b58d
4 changed files with 12 additions and 6 deletions

View file

@ -25,8 +25,14 @@ def register_changeset(struct, params \\ %{}) do
if changeset.valid? do if changeset.valid? do
changeset changeset
|> put_change(:client_id, :crypto.strong_rand_bytes(32) |> Base.url_encode64()) |> put_change(
|> put_change(:client_secret, :crypto.strong_rand_bytes(32) |> Base.url_encode64()) :client_id,
:crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)
)
|> put_change(
:client_secret,
:crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)
)
else else
changeset changeset
end end

View file

@ -24,7 +24,7 @@ defmodule Pleroma.Web.OAuth.Authorization do
end end
def create_authorization(%App{} = app, %User{} = user) do def create_authorization(%App{} = app, %User{} = user) do
token = :crypto.strong_rand_bytes(32) |> Base.url_encode64() token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)
authorization = %Authorization{ authorization = %Authorization{
token: token, token: token,

View file

@ -173,7 +173,7 @@ defp fix_padding(token) do
token token
|> URI.decode() |> URI.decode()
|> Base.url_decode64!(padding: false) |> Base.url_decode64!(padding: false)
|> Base.url_encode64() |> Base.url_encode64(padding: false)
end end
defp get_app_from_request(conn, params) do defp get_app_from_request(conn, params) do

View file

@ -31,8 +31,8 @@ def exchange_token(app, auth) do
end end
def create_token(%App{} = app, %User{} = user) do def create_token(%App{} = app, %User{} = user) do
token = :crypto.strong_rand_bytes(32) |> Base.url_encode64() token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)
refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64() refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)
token = %Token{ token = %Token{
token: token, token: token,