-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpkce_service.go
59 lines (48 loc) · 1.5 KB
/
pkce_service.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
package ssso
import (
"context"
"crypto/sha256"
"encoding/base64"
"fmt"
"github.com/rs/zerolog/log"
)
// PKCEService handles PKCE validation
type PKCEService struct {
oauthRepo OAuthRepository
}
// NewPKCEService creates a new PKCE service instance
func NewPKCEService(oauthRepo OAuthRepository) *PKCEService {
return &PKCEService{
oauthRepo: oauthRepo,
}
}
// ValidateCodeVerifier validates the PKCE code verifier against the stored challenge
func (s *PKCEService) ValidateCodeVerifier(ctx context.Context, code, verifier string) error {
challenge, err := s.oauthRepo.GetCodeChallenge(ctx, code)
if err != nil {
return fmt.Errorf("failed to get code challenge: %w", err)
}
if !ValidatePKCEChallenge(challenge, verifier) {
return fmt.Errorf("invalid code verifier")
}
// Clean up the challenge after successful validation
if err := s.oauthRepo.DeleteCodeChallenge(ctx, code); err != nil {
log.Error().Err(err).Msg("failed to delete code challenge")
}
return nil
}
// ValidatePKCEChallenge validates a code verifier against a code challenge
func ValidatePKCEChallenge(challenge, verifier string) bool {
// For plain method
if challenge == verifier {
return true
}
// For S256 method
h := sha256.New()
h.Write([]byte(verifier))
calculatedChallenge := base64.RawURLEncoding.EncodeToString(h.Sum(nil))
return challenge == calculatedChallenge
}
func (s *PKCEService) SavePKCEChallenge(ctx context.Context, code, challenge string) error {
return s.oauthRepo.SaveCodeChallenge(ctx, code, challenge)
}