From 1c36b70dab96b37cf5970d6c12e041e5dfc6d799 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Sat, 23 Dec 2017 02:06:18 +0000 Subject: [PATCH] Fixed ordering so we only hash after base64 encoding --- src/Grant/AuthCodeGrant.php | 2 +- tests/Grant/AuthCodeGrantTest.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index c39679b6..6f2b6ff8 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -144,7 +144,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant case 'S256': if ( hash_equals( - strtr(rtrim(base64_encode(hash('sha256', $codeVerifier)), '='), '+/', '-_'), + hash('sha256', strtr(rtrim(base64_encode($codeVerifier), '='), '+/', '-_')), $authCodePayload->code_challenge ) === false ) { diff --git a/tests/Grant/AuthCodeGrantTest.php b/tests/Grant/AuthCodeGrantTest.php index 80a95c31..0146561a 100644 --- a/tests/Grant/AuthCodeGrantTest.php +++ b/tests/Grant/AuthCodeGrantTest.php @@ -767,7 +767,7 @@ class AuthCodeGrantTest extends TestCase 'user_id' => 123, 'scopes' => ['foo'], 'redirect_uri' => 'http://foo/bar', - 'code_challenge' => strtr(rtrim(base64_encode(hash('sha256', 'foobar')), '='), '+/', '-_'), + 'code_challenge' => hash('sha256', strtr(rtrim(base64_encode('foobar'), '='), '+/', '-_')), 'code_challenge_method' => 'S256', ] )