From b169dd2cc41600b5b7c5a20b5aecae5336760fda Mon Sep 17 00:00:00 2001 From: Philipp Wolfer Date: Tue, 28 Nov 2023 17:58:52 +0100 Subject: [PATCH] auth: generate oauth2 state randomly --- cmd/auth.go | 2 +- internal/auth/util.go | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 internal/auth/util.go diff --git a/cmd/auth.go b/cmd/auth.go index 67b7411..f7876fc 100644 --- a/cmd/auth.go +++ b/cmd/auth.go @@ -50,7 +50,7 @@ var authCmd = &cobra.Command{ // https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-22.html#name-countermeasures-6 verifier := oauth2.GenerateVerifier() - state := "somestate" // FIXME: Should be a random string + state := auth.RandomState() // Redirect user to consent page to ask for permission specified scopes. authUrl := strategy.AuthCodeURL(verifier, state) diff --git a/internal/auth/util.go b/internal/auth/util.go new file mode 100644 index 0000000..76b55b0 --- /dev/null +++ b/internal/auth/util.go @@ -0,0 +1,34 @@ +/* +Copyright © 2023 Philipp Wolfer + +Scotty is free software: you can redistribute it and/or modify it under the +terms of the GNU General Public License as published by the Free Software +Foundation, either version 3 of the License, or (at your option) any later version. + +Scotty is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR +A PARTICULAR PURPOSE. See the GNU General Public License for more details. + +You should have received a copy of the GNU General Public License along with +Scotty. If not, see . +*/ + +package auth + +import "math/rand" + +const stateLength = 10 + +func RandomState() string { + return randString(stateLength) +} + +const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" + +func randString(n int) string { + b := make([]byte, n) + for i := range b { + b[i] = letters[rand.Intn(len(letters))] + } + return string(b) +}