wip

avdb13 · avdb13 · commit 9ac5b55ce823 · 2024-11-21T09:07:37.000Z
diff --git a/Cargo.toml b/Cargo.toml
@@ -162,6 +162,7 @@ pretty_assertions = "1.4.0"
 derive-new = "0.7.0"
 diesel-bind-if-some = "0.1.0"
 tuplex = "0.1.2"
+sha2 = "0.10.8"
 
 [dependencies]
 lemmy_api = { workspace = true }
diff --git a/crates/api_crud/Cargo.toml b/crates/api_crud/Cargo.toml
@@ -33,6 +33,8 @@ accept-language = "3.1.0"
 serde_json = { workspace = true }
 serde = { workspace = true }
 serde_with = { workspace = true }
+sha2 = { workspace = true }
+base64 = { workspace = true }
 
 [package.metadata.cargo-shear]
 ignored = ["futures"]
diff --git a/crates/api_crud/src/user/create.rs b/crates/api_crud/src/user/create.rs
@@ -1,5 +1,6 @@
 use activitypub_federation::{config::Data, http_signatures::generate_actor_keypair};
 use actix_web::{web::Json, HttpRequest};
+use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine as _};
 use lemmy_api_common::{
   claims::Claims,
   context::LemmyContext,
@@ -47,7 +48,8 @@ use lemmy_utils::{
 };
 use serde::{Deserialize, Serialize};
 use serde_with::skip_serializing_none;
-use std::collections::HashSet;
+use sha2::{Digest, Sha256};
+use std::{collections::HashSet, iter};
 
 #[skip_serializing_none]
 #[derive(Debug, Serialize, Deserialize, Clone, Default)]
@@ -524,27 +526,37 @@ async fn oauth_request_access_token(
   pkce_code_verifier: Option<&str>,
   redirect_uri: &str,
 ) -> LemmyResult<TokenResponse> {
-  let mut form = vec![
+  let form = [
     ("grant_type", "authorization_code"),
     ("code", code),
     ("redirect_uri", redirect_uri),
     ("client_id", &oauth_provider.client_id),
     ("client_secret", &oauth_provider.client_secret),
   ];
-  if let Some(code_verifier) = pkce_code_verifier {
-    form.push(("code_verifier", code_verifier));
-  }
+
+  let digest = pkce_code_verifier.map(str::as_bytes).map(Sha256::digest);
+  let code_verifier = digest.map(|input| URL_SAFE_NO_PAD.encode(input));
+
+  let form = match code_verifier.as_deref() {
+    Some(code_verifier) => [&form[..], &[("code_verifier", code_verifier)]].concat(),
+    None => form.to_vec(),
+  };
 
   // Request an Access Token from the OAUTH provider
   let response = context
     .client()
     .post(oauth_provider.token_endpoint.as_str())
     .header("Accept", "application/json")
-    .form(&*form)
+    .form(&form[..])
     .send()
     .await;
 
   let response = response.map_err(|_| LemmyErrorType::OauthLoginFailed)?;
+  dbg!(
+    response.status(),
+    response.headers(),
+    response.error_for_status_ref()
+  );
   if !response.status().is_success() {
     Err(LemmyErrorType::OauthLoginFailed)?;
   }
