oauth: never use base64 padding when returning tokens to applications

The normal Base64 alphabet uses the equals sign (=) as a padding character. Since Base64 strings are self-synchronizing, padding characters are unnecessary, so don't generate them in the first place.
2019-02-14 01:05:25 +00:00 · 2019-02-14 01:05:25 +00:00 · e9ef4b8da6
parent 1ef4741861
commit e9ef4b8da6
4 changed files with 12 additions and 6 deletions
--- a/lib/pleroma/web/oauth/app.ex
+++ b/lib/pleroma/web/oauth/app.ex
@ -25,8 +25,14 @@ defmodule Pleroma.Web.OAuth.App do

    if changeset.valid? do
      changeset
-      |> put_change(:client_id, :crypto.strong_rand_bytes(32) |> Base.url_encode64())
-      |> put_change(:client_secret, :crypto.strong_rand_bytes(32) |> Base.url_encode64())
+      |> put_change(
+        :client_id,
+        :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)
+      )
+      |> put_change(
+        :client_secret,
+        :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)
+      )
    else
      changeset
    end
--- a/lib/pleroma/web/oauth/authorization.ex
+++ b/lib/pleroma/web/oauth/authorization.ex
@ -24,7 +24,7 @@ defmodule Pleroma.Web.OAuth.Authorization do
  end

  def create_authorization(%App{} = app, %User{} = user) do
-    token = :crypto.strong_rand_bytes(32) |> Base.url_encode64()
+    token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)

    authorization = %Authorization{
      token: token,
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@ -173,7 +173,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
    token
    |> URI.decode()
    |> Base.url_decode64!(padding: false)
-    |> Base.url_encode64()
+    |> Base.url_encode64(padding: false)
  end

  defp get_app_from_request(conn, params) do
--- a/lib/pleroma/web/oauth/token.ex
+++ b/lib/pleroma/web/oauth/token.ex
@ -31,8 +31,8 @@ defmodule Pleroma.Web.OAuth.Token do
  end

  def create_token(%App{} = app, %User{} = user) do
-    token = :crypto.strong_rand_bytes(32) |> Base.url_encode64()
-    refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64()
+    token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)
+    refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)

    token = %Token{
      token: token,