Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update create_code_verifier to output the proper length #876

Merged
merged 6 commits into from
Aug 13, 2024
Merged

Update create_code_verifier to output the proper length #876

merged 6 commits into from
Aug 13, 2024

Conversation

shawnz
Copy link
Contributor

@shawnz shawnz commented Aug 4, 2024

Previously, create_code_verifier would call secrets.token_urlsafe(nbytes=length) to produce the code verifier, but this leads to incorrect behaviour because the string returned by token_urlsafe doesn't have length nbytes. Instead it has length nbytes * (4/3) since the output is base64-encoded.

This means that, for example, you could call create_code_verifier(length=128) and you would get a result with length 171, which exceeds the 128-character maximum length of the code verifier allowed by the spec. But this wouldn't be caught by the checks in the code, since they only check the input length parameter and not the actual output length.

This PR fixes the issue by using the generate_token utility function instead, which does output strings of the exact length you specify. It also adds a test to make sure the length of the outputted string is equal to the specified length.

auvipy
auvipy requested changes Aug 12, 2024
View reviewed changes
Copy link
Contributor

@auvipy auvipy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we have to make the CI build green

@shawnz shawnz mentioned this pull request Aug 12, 2024
Merged
@shawnz
Copy link
Contributor Author

shawnz commented Aug 12, 2024

Hi @auvipy, see #878 where I make an attempt to fix the CI errors. I did it in a separate PR since they are not related to this change.

@auvipy
Copy link
Contributor

auvipy commented Aug 13, 2024

can you please rebase? merged the PR

@shawnz
Copy link
Contributor Author

shawnz commented Aug 13, 2024

@auvipy done, ty for looking into this

@auvipy auvipy merged commit d319c54 into oauthlib:master Aug 13, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thedrow thedrow thedrow approved these changes

@auvipy auvipy auvipy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shawnz @auvipy @thedrow