From 7ce5a1a0ddd4e125d87606fbe7098e0130c45477 Mon Sep 17 00:00:00 2001 From: Dave Della Costa Date: Thu, 4 Dec 2014 20:03:39 +0900 Subject: [PATCH] Fixes issue #32 ("anti-forgery-token is encoded but not decoded") - replaces non-URL-safe chars in base64 CSRF key --- src/friend_oauth2/util.clj | 4 ++-- test/friend_oauth2/util_facts.clj | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/friend_oauth2/util.clj b/src/friend_oauth2/util.clj index 7107c30..678b955 100644 --- a/src/friend_oauth2/util.clj +++ b/src/friend_oauth2/util.clj @@ -2,7 +2,7 @@ (:require [cheshire.core :refer [parse-string]] [ring.util.codec :as ring-codec] - [clojure.string :refer [split join]] + [clojure.string :as string :refer [split join]] [crypto.random :as random])) (defn format-config-uri @@ -43,4 +43,4 @@ (defn generate-anti-forgery-token "Generates random string for anti-forgery-token." [] - (-> (random/base64 60) (split #"/") join)) + (string/replace (random/base64 60) #"[\+=/]" "-")) diff --git a/test/friend_oauth2/util_facts.clj b/test/friend_oauth2/util_facts.clj index d421807..e851014 100644 --- a/test/friend_oauth2/util_facts.clj +++ b/test/friend_oauth2/util_facts.clj @@ -41,3 +41,9 @@ "Replaces the authorization code" ((oauth2-util/replace-authz-code (uri-config-fixture :access-token-uri) "my-code") :code) => "my-code") + +(fact + "Replaces '+', '/' and '=' in base64 CSRF token." + (with-redefs [crypto.random/base64 (constantly "TaUtFckiPp+v7yRx8aYC5OGAU1k/UouWtqI7e9IH8pUtm2/r00d5YVFy+JdS8zaWuMS=j0dwNDHt4vym")] + (let [correct-token "TaUtFckiPp-v7yRx8aYC5OGAU1k-UouWtqI7e9IH8pUtm2-r00d5YVFy-JdS8zaWuMS-j0dwNDHt4vym"] + (oauth2-util/generate-anti-forgery-token) => correct-token)))