Validate code verifer on authorization code exchange

1 files changed, 25 insertions, 2 deletions

diff --git a/VPNAuth.Server/Program.cs b/VPNAuth.Server/Program.cs
index beae428..e9dc036 100644
--- a/VPNAuth.Server/Program.cs
+++ b/VPNAuth.Server/Program.cs
@@ -1,3 +1,6 @@
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.RegularExpressions;
 using VPNAuth.Server;
 using VPNAuth.Server.Database;
 using VPNAuth.Server.Responses;
@@ -79,7 +82,27 @@ app.MapPost("/access-token", async (HttpContext context) =>
         return;
     }
 
-    // TODO: validate code verifier -> context.Request.Form["code_verifier"]
+    if (!context.Request.Form.ContainsKey("code_verifier"))
+    {
+        context.Response.StatusCode = StatusCodes.Status400BadRequest;
+        return;
+    }
+
+    using var sha256 = SHA256.Create();
+    var removeCodeChallengeEnd = new Regex("=$");
+
+    var verifier = context.Request.Form["code_verifier"];
+    var verifierBytes = Encoding.ASCII.GetBytes(verifier.ToString());
+    var hashedVerifierBytes = sha256.ComputeHash(verifierBytes);
+    var expectedCodeChallenge = removeCodeChallengeEnd.Replace(Convert.ToBase64String(hashedVerifierBytes), "")
+        .Replace("+", "-")
+        .Replace("/", "_");
+    
+    if (expectedCodeChallenge != authRequest.CodeChallenge)
+    {
+        context.Response.StatusCode = StatusCodes.Status403Forbidden;
+        return;
+    }
 
     var accessTokenEntry = db.AccessTokens.Add(new AccessToken
     {
@@ -154,7 +177,7 @@ app.Map("/user-info", (HttpContext context) =>
         return;
     }
 
-    if (tokenHeader.Length >= 2)
+    if (tokenHeader.Length < 2)
     {
         context.Response.StatusCode = StatusCodes.Status401Unauthorized;
         return;