diff options
| author | William Pitcock <nenolod@dereferenced.org> | 2019-02-14 01:05:25 +0000 |
|---|---|---|
| committer | William Pitcock <nenolod@dereferenced.org> | 2019-02-14 01:10:04 +0000 |
| commit | e9ef4b8da627e516d5f1a2b742c6dafa65232098 (patch) | |
| tree | 2f598a2f9a7abce6cd75fd2efc00a606ea1f6f87 | |
| parent | 1ef474186141354bba03f28850fdeb4c1945d912 (diff) | |
| download | pleroma-e9ef4b8da627e516d5f1a2b742c6dafa65232098.tar.gz | |
oauth: never use base64 padding when returning tokens to applications
The normal Base64 alphabet uses the equals sign (=) as a padding character. Since
Base64 strings are self-synchronizing, padding characters are unnecessary, so don't
generate them in the first place.
| -rw-r--r-- | lib/pleroma/web/oauth/app.ex | 10 | ||||
| -rw-r--r-- | lib/pleroma/web/oauth/authorization.ex | 2 | ||||
| -rw-r--r-- | lib/pleroma/web/oauth/oauth_controller.ex | 2 | ||||
| -rw-r--r-- | lib/pleroma/web/oauth/token.ex | 4 |
4 files changed, 12 insertions, 6 deletions
diff --git a/lib/pleroma/web/oauth/app.ex b/lib/pleroma/web/oauth/app.ex index 3e8acde31..8b61bf3a4 100644 --- a/lib/pleroma/web/oauth/app.ex +++ b/lib/pleroma/web/oauth/app.ex @@ -25,8 +25,14 @@ defmodule Pleroma.Web.OAuth.App do if changeset.valid? do changeset - |> put_change(:client_id, :crypto.strong_rand_bytes(32) |> Base.url_encode64()) - |> put_change(:client_secret, :crypto.strong_rand_bytes(32) |> Base.url_encode64()) + |> put_change( + :client_id, + :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false) + ) + |> put_change( + :client_secret, + :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false) + ) else changeset end diff --git a/lib/pleroma/web/oauth/authorization.ex b/lib/pleroma/web/oauth/authorization.ex index 75c9ab9aa..9039b8b45 100644 --- a/lib/pleroma/web/oauth/authorization.ex +++ b/lib/pleroma/web/oauth/authorization.ex @@ -24,7 +24,7 @@ defmodule Pleroma.Web.OAuth.Authorization do end def create_authorization(%App{} = app, %User{} = user) do - token = :crypto.strong_rand_bytes(32) |> Base.url_encode64() + token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false) authorization = %Authorization{ token: token, diff --git a/lib/pleroma/web/oauth/oauth_controller.ex b/lib/pleroma/web/oauth/oauth_controller.ex index e4d0601f8..dddfcf299 100644 --- a/lib/pleroma/web/oauth/oauth_controller.ex +++ b/lib/pleroma/web/oauth/oauth_controller.ex @@ -173,7 +173,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do token |> URI.decode() |> Base.url_decode64!(padding: false) - |> Base.url_encode64() + |> Base.url_encode64(padding: false) end defp get_app_from_request(conn, params) do diff --git a/lib/pleroma/web/oauth/token.ex b/lib/pleroma/web/oauth/token.ex index b0bbeeb69..ca9e718ac 100644 --- a/lib/pleroma/web/oauth/token.ex +++ b/lib/pleroma/web/oauth/token.ex @@ -31,8 +31,8 @@ defmodule Pleroma.Web.OAuth.Token do end def create_token(%App{} = app, %User{} = user) do - token = :crypto.strong_rand_bytes(32) |> Base.url_encode64() - refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64() + token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false) + refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false) token = %Token{ token: token, |