From 2d690226d9f86cc0fd50f8bfef87b883a7323355 Mon Sep 17 00:00:00 2001 From: Tim Date: Sun, 20 Apr 2025 17:40:05 +0200 Subject: Validate code verifer on authorization code exchange --- VPNAuth.Server/Program.cs | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/VPNAuth.Server/Program.cs b/VPNAuth.Server/Program.cs index beae428..e9dc036 100644 --- a/VPNAuth.Server/Program.cs +++ b/VPNAuth.Server/Program.cs @@ -1,3 +1,6 @@ +using System.Security.Cryptography; +using System.Text; +using System.Text.RegularExpressions; using VPNAuth.Server; using VPNAuth.Server.Database; using VPNAuth.Server.Responses; @@ -79,7 +82,27 @@ app.MapPost("/access-token", async (HttpContext context) => return; } - // TODO: validate code verifier -> context.Request.Form["code_verifier"] + if (!context.Request.Form.ContainsKey("code_verifier")) + { + context.Response.StatusCode = StatusCodes.Status400BadRequest; + return; + } + + using var sha256 = SHA256.Create(); + var removeCodeChallengeEnd = new Regex("=$"); + + var verifier = context.Request.Form["code_verifier"]; + var verifierBytes = Encoding.ASCII.GetBytes(verifier.ToString()); + var hashedVerifierBytes = sha256.ComputeHash(verifierBytes); + var expectedCodeChallenge = removeCodeChallengeEnd.Replace(Convert.ToBase64String(hashedVerifierBytes), "") + .Replace("+", "-") + .Replace("/", "_"); + + if (expectedCodeChallenge != authRequest.CodeChallenge) + { + context.Response.StatusCode = StatusCodes.Status403Forbidden; + return; + } var accessTokenEntry = db.AccessTokens.Add(new AccessToken { @@ -154,7 +177,7 @@ app.Map("/user-info", (HttpContext context) => return; } - if (tokenHeader.Length >= 2) + if (tokenHeader.Length < 2) { context.Response.StatusCode = StatusCodes.Status401Unauthorized; return; -- cgit v1.2.3