diff options
| author | Vishal Tak <vtak@gitlab.com> | 2022-04-05 14:10:57 +0300 |
|---|---|---|
| committer | Vishal Tak <vtak@gitlab.com> | 2022-04-06 10:33:18 +0300 |
| commit | 8e40856d4b14a261246b3bd8d3a2b80dd69a99e7 (patch) | |
| tree | 742483f1133318191f84328242a5bdd1f512d02b /internal | |
| parent | 5321248fd47127cc71f719aaafefc364379a9c56 (diff) | |
Update nonce to make it of standard size
Changelog: changed
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/auth/auth_code.go | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/internal/auth/auth_code.go b/internal/auth/auth_code.go index 9ab912dc..8974c544 100644 --- a/internal/auth/auth_code.go +++ b/internal/auth/auth_code.go @@ -30,7 +30,11 @@ func (a *Auth) EncryptAndSignCode(domain, code string) (string, error) { return "", errEmptyDomainOrCode } - nonce := base64.URLEncoding.EncodeToString(securecookie.GenerateRandomKey(16)) + nonce := securecookie.GenerateRandomKey(12) + if nonce == nil { + // https://github.com/gorilla/securecookie/blob/f37875ef1fb538320ab97fc6c9927d94c280ed5b/securecookie.go#L513 + return "", errInvalidNonce + } aesGcm, err := a.newAesGcmCipher(domain, nonce) if err != nil { @@ -38,7 +42,7 @@ func (a *Auth) EncryptAndSignCode(domain, code string) (string, error) { } // encrypt code with a randomly generated nonce - encryptedCode := aesGcm.Seal(nil, []byte(nonce), []byte(code), nil) + encryptedCode := aesGcm.Seal(nil, nonce, []byte(code), nil) // generate JWT token claims with encrypted code claims := jwt.MapClaims{ @@ -49,7 +53,7 @@ func (a *Auth) EncryptAndSignCode(domain, code string) (string, error) { // custom claims "domain": domain, // pass the domain so we can validate the signed domain matches the requested domain "code": hex.EncodeToString(encryptedCode), - "nonce": nonce, + "nonce": base64.URLEncoding.EncodeToString(nonce), } return jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString(a.jwtSigningKey) @@ -64,11 +68,16 @@ func (a *Auth) DecryptCode(jwt, domain string) (string, error) { } // get nonce and encryptedCode from the JWT claims - nonce, ok := claims["nonce"].(string) + encodedNonce, ok := claims["nonce"].(string) if !ok { return "", errInvalidNonce } + nonce, err := base64.URLEncoding.DecodeString(encodedNonce) + if err != nil { + return "", errInvalidNonce + } + encryptedCode, ok := claims["code"].(string) if !ok { return "", errInvalidCode @@ -84,7 +93,7 @@ func (a *Auth) DecryptCode(jwt, domain string) (string, error) { return "", err } - decryptedCode, err := aesGcm.Open(nil, []byte(nonce), cipherText, nil) + decryptedCode, err := aesGcm.Open(nil, nonce, cipherText, nil) if err != nil { return "", err } @@ -126,7 +135,7 @@ func (a *Auth) getSigningKey(token *jwt.Token) (interface{}, error) { return a.jwtSigningKey, nil } -func (a *Auth) newAesGcmCipher(domain, nonce string) (cipher.AEAD, error) { +func (a *Auth) newAesGcmCipher(domain string, nonce []byte) (cipher.AEAD, error) { // get the same key for a domain key, err := a.codeKey(domain) if err != nil { |