anti-forgery-token is encoded but not decoded #32
Comments
…eplaces non-URL-safe chars in base64 CSRF key
|
Thanks, good catch! Actually I shouldn't have been passing non-URL safe chars in the first place, so I'm stripping out +, / and = now. I'll push a release ASAP and update this issue when I have. |
|
Hmm, actually I'm a bit curious what you were actually seeing--you won't see any spaces generated by crypto.random/base64, so I assumed you meant the + symbols were getting URL-encoded when sending (to "%2B") and then you were seeing "%2B" when you got the response back. Is this the case? I still don't want to assume the authorizing server is going to be doing URL-unencoding but I'm curious what the actual behavior is here. |
|
When I set a breakpoint at https://github.com/ddellacosta/friend-oauth2/blob/master/src/friend_oauth2/workflow.clj#L32 (BTW: in friend-oauth2-0.1.1 it is L34) I can see that So it seems that
Thanks! I'm looking forward to that as it will probably solve the issue. |
|
Huh, well, sounds like maybe whatever provider you're using is doing some substituting of those values, as I would expect to see the URL encoded value "%2B" if we were to see anything--but no matter, it seems obvious these should be getting replaced regardless and will hopefully solve your problem. Thanks again for catching this! |
|
Pushed release 0.1.2 |
|
@ddellacosta great, this really fixed the issue. Thank you very much. |
In https://github.com/ddellacosta/friend-oauth2/blob/master/src/friend_oauth2/util.clj#L17 the anti-forgery-token is form-encoded but it is never decoded before checking it in https://github.com/ddellacosta/friend-oauth2/blob/master/src/friend_oauth2/util.clj#L40.
In case the
statecontains spaces, the token will have+chars after the encoding and therefore will not be the same. I just found that this is the reason for an endless loop redirecting me back to the provider.The text was updated successfully, but these errors were encountered: