From c0f63234d7fa2599dd21575cbb9bd34ab7be6b42 Mon Sep 17 00:00:00 2001
From: Kagami Sascha Rosylight <saschanaz@outlook.com>
Date: Sat, 27 May 2023 15:19:55 +0200
Subject: [PATCH] use verifyChallenge

---
 .../backend/src/server/oauth/OAuth2ProviderService.ts  | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/packages/backend/src/server/oauth/OAuth2ProviderService.ts b/packages/backend/src/server/oauth/OAuth2ProviderService.ts
index 79422170f1..d25f21ff5b 100644
--- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts
+++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts
@@ -12,6 +12,7 @@ import fastifyView from '@fastify/view';
 import pug from 'pug';
 import bodyParser from 'body-parser';
 import fastifyExpress from '@fastify/express';
+import { verifyChallenge } from 'pkce-challenge';
 import { secureRndstr } from '@/misc/secure-rndstr.js';
 import { MetaService } from '@/core/MetaService.js';
 import { HttpRequestService } from '@/core/HttpRequestService.js';
@@ -251,12 +252,6 @@ async function discoverClientInformation(httpRequestService: HttpRequestService,
 // 	};
 // }
 
-function pkceS256(codeVerifier: string): string {
-	return crypto.createHash('sha256')
-		.update(codeVerifier, 'ascii')
-		.digest('base64url');
-}
-
 type OmitFirstElement<T extends unknown[]> = T extends [unknown, ...(infer R)]
 	? R
 	: [];
@@ -365,7 +360,8 @@ export class OAuth2ProviderService {
 				delete TEMP_GRANT_CODES[code];
 				if (body.client_id !== granted.clientId) return [false];
 				if (redirectUri !== granted.redirectUri) return [false];
-				if (!body.code_verifier || pkceS256(body.code_verifier as string) !== granted.codeChallenge) return [false];
+				if (!body.code_verifier) return [false];
+				if (!(await verifyChallenge(body.code_verifier as string, granted.codeChallenge))) return [false];
 
 				const accessToken = secureRndstr(128, true);