Fixes issue #32 ("anti-forgery-token is encoded but not decoded") - r…

…eplaces non-URL-safe chars in base64 CSRF key
clojusc · Dec 4, 2014 · 7ce5a1a · 7ce5a1a
1 parent a0d2b0b
commit 7ce5a1a
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/src/friend_oauth2/util.clj b/src/friend_oauth2/util.clj
@@ -2,7 +2,7 @@
   (:require
    [cheshire.core :refer [parse-string]]
    [ring.util.codec :as ring-codec]
-   [clojure.string :refer [split join]]
+   [clojure.string :as string :refer [split join]]
    [crypto.random :as random]))
 
 (defn format-config-uri
@@ -43,4 +43,4 @@
 (defn generate-anti-forgery-token
   "Generates random string for anti-forgery-token."
   []
-  (-> (random/base64 60) (split #"/") join))
+  (string/replace (random/base64 60) #"[\+=/]" "-"))
diff --git a/test/friend_oauth2/util_facts.clj b/test/friend_oauth2/util_facts.clj
@@ -41,3 +41,9 @@
  "Replaces the authorization code"
  ((oauth2-util/replace-authz-code (uri-config-fixture :access-token-uri) "my-code") :code)
  => "my-code")
+
+(fact
+ "Replaces '+', '/' and '=' in base64 CSRF token."
+ (with-redefs [crypto.random/base64 (constantly "TaUtFckiPp+v7yRx8aYC5OGAU1k/UouWtqI7e9IH8pUtm2/r00d5YVFy+JdS8zaWuMS=j0dwNDHt4vym")]
+   (let [correct-token "TaUtFckiPp-v7yRx8aYC5OGAU1k-UouWtqI7e9IH8pUtm2-r00d5YVFy-JdS8zaWuMS-j0dwNDHt4vym"]
+     (oauth2-util/generate-anti-forgery-token) => correct-token)))