aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--VPNAuth.Server/Program.cs27
1 files changed, 25 insertions, 2 deletions
diff --git a/VPNAuth.Server/Program.cs b/VPNAuth.Server/Program.cs
index beae428..e9dc036 100644
--- a/VPNAuth.Server/Program.cs
+++ b/VPNAuth.Server/Program.cs
@@ -1,3 +1,6 @@
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.RegularExpressions;
using VPNAuth.Server;
using VPNAuth.Server.Database;
using VPNAuth.Server.Responses;
@@ -79,7 +82,27 @@ app.MapPost("/access-token", async (HttpContext context) =>
return;
}
- // TODO: validate code verifier -> context.Request.Form["code_verifier"]
+ if (!context.Request.Form.ContainsKey("code_verifier"))
+ {
+ context.Response.StatusCode = StatusCodes.Status400BadRequest;
+ return;
+ }
+
+ using var sha256 = SHA256.Create();
+ var removeCodeChallengeEnd = new Regex("=$");
+
+ var verifier = context.Request.Form["code_verifier"];
+ var verifierBytes = Encoding.ASCII.GetBytes(verifier.ToString());
+ var hashedVerifierBytes = sha256.ComputeHash(verifierBytes);
+ var expectedCodeChallenge = removeCodeChallengeEnd.Replace(Convert.ToBase64String(hashedVerifierBytes), "")
+ .Replace("+", "-")
+ .Replace("/", "_");
+
+ if (expectedCodeChallenge != authRequest.CodeChallenge)
+ {
+ context.Response.StatusCode = StatusCodes.Status403Forbidden;
+ return;
+ }
var accessTokenEntry = db.AccessTokens.Add(new AccessToken
{
@@ -154,7 +177,7 @@ app.Map("/user-info", (HttpContext context) =>
return;
}
- if (tokenHeader.Length >= 2)
+ if (tokenHeader.Length < 2)
{
context.Response.StatusCode = StatusCodes.Status401Unauthorized;
return;
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-04 18:34:35 +0000