mirror of
https://github.com/elyby/oauth2-server.git
synced 2024-12-28 16:00:24 +05:30
Don’t pad and shuffle the payload if an encryption key has been set
This commit is contained in:
parent
e123fe82d0
commit
0706d66c76
@ -320,15 +320,20 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
'expire_time' => (new \DateTime())->add($this->authCodeTTL)->format('U'),
|
'expire_time' => (new \DateTime())->add($this->authCodeTTL)->format('U'),
|
||||||
'code_challenge' => $authorizationRequest->getCodeChallenge(),
|
'code_challenge' => $authorizationRequest->getCodeChallenge(),
|
||||||
'code_challenge_method ' => $authorizationRequest->getCodeChallengeMethod(),
|
'code_challenge_method ' => $authorizationRequest->getCodeChallengeMethod(),
|
||||||
'_padding' => base64_encode(random_bytes(mt_rand(8, 256)))
|
|
||||||
];
|
];
|
||||||
|
|
||||||
// Shuffle the payload so that the structure is no longer know and obvious
|
if ($this->encryptionKey === null) {
|
||||||
$keys = array_keys($payload);
|
// Add padding to vary the length of the payload
|
||||||
shuffle($keys);
|
$payload['_padding'] = base64_encode(random_bytes(mt_rand(8, 256)));
|
||||||
$shuffledPayload = [];
|
// Shuffle the payload so that the structure is no longer know and obvious
|
||||||
foreach ($keys as $key) {
|
$keys = array_keys($payload);
|
||||||
$shuffledPayload[$key] = $payload[$key];
|
shuffle($keys);
|
||||||
|
$shuffledPayload = [];
|
||||||
|
foreach ($keys as $key) {
|
||||||
|
$shuffledPayload[$key] = $payload[$key];
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$shuffledPayload = $payload;
|
||||||
}
|
}
|
||||||
|
|
||||||
$response = new RedirectResponse();
|
$response = new RedirectResponse();
|
||||||
|
Loading…
Reference in New Issue
Block a user