auth: generate oauth2 state randomly

2025-04-15 17:49:29 +02:00 · 2023-11-28 17:58:52 +01:00 · 2023-11-28 17:58:52 +01:00 · b169dd2cc4
commit b169dd2cc4
parent 4bf0f2c81d
2 changed files with 35 additions and 1 deletions
--- a/cmd/auth.go
+++ b/cmd/auth.go
@ -50,7 +50,7 @@ var authCmd = &cobra.Command{
 		// https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-22.html#name-countermeasures-6
 		verifier := oauth2.GenerateVerifier()

-		state := "somestate" // FIXME: Should be a random string
+		state := auth.RandomState()
 		// Redirect user to consent page to ask for permission specified scopes.
 		authUrl := strategy.AuthCodeURL(verifier, state)

--- a/internal/auth/util.go
+++ b/internal/auth/util.go
@ -0,0 +1,34 @@
+/*
+Copyright © 2023 Philipp Wolfer <phw@uploadedlobster.com>
+
+Scotty is free software: you can redistribute it and/or modify it under the
+terms of the GNU General Public License as published by the Free Software
+Foundation, either version 3 of the License, or (at your option) any later version.
+
+Scotty is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with
+Scotty. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+package auth
+
+import "math/rand"
+
+const stateLength = 10
+
+func RandomState() string {
+	return randString(stateLength)
+}
+
+const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+
+func randString(n int) string {
+	b := make([]byte, n)
+	for i := range b {
+		b[i] = letters[rand.Intn(len(letters))]
+	}
+	return string(b)
+}