From 49b2902d6d2c32f6616ff869f023af5ae83f52c7 Mon Sep 17 00:00:00 2001 From: sam Date: Sat, 14 Dec 2024 16:39:02 +0100 Subject: [PATCH] fix: use url-unsafe base 64 for auth tokens .net throws an error when decoding url-safe base 64 luckily we never decode it *except* for tokens, so those can keep using url-unsafe base 64. they're never used in URLs after all --- Foxnouns.Backend/Services/Auth/AuthService.cs | 2 +- Foxnouns.Backend/Utils/AuthUtils.cs | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/Foxnouns.Backend/Services/Auth/AuthService.cs b/Foxnouns.Backend/Services/Auth/AuthService.cs index 89248cd..f8c2428 100644 --- a/Foxnouns.Backend/Services/Auth/AuthService.cs +++ b/Foxnouns.Backend/Services/Auth/AuthService.cs @@ -358,7 +358,7 @@ public class AuthService( private static (string, byte[]) GenerateToken() { - string token = AuthUtils.RandomToken(); + string token = AuthUtils.RandomUrlUnsafeToken(); byte[] hash = SHA512.HashData(Convert.FromBase64String(token)); return (token, hash); diff --git a/Foxnouns.Backend/Utils/AuthUtils.cs b/Foxnouns.Backend/Utils/AuthUtils.cs index 8a35cdc..5ebd745 100644 --- a/Foxnouns.Backend/Utils/AuthUtils.cs +++ b/Foxnouns.Backend/Utils/AuthUtils.cs @@ -130,10 +130,11 @@ public static class AuthUtils return TryFromBase64String(input, out rawToken); } + public static string RandomUrlUnsafeToken(int bytes = 48) => + Convert.ToBase64String(RandomNumberGenerator.GetBytes(bytes)).Trim('='); + public static string RandomToken(int bytes = 48) => - Convert - .ToBase64String(RandomNumberGenerator.GetBytes(bytes)) - .Trim('=') + RandomUrlUnsafeToken() // Make the token URL-safe .Replace('+', '-') .Replace('/', '_');