auth/pkce.go

package auth

import (
	"crypto/sha256"
	"encoding/base64"
	"strings"
)

// PKCEMethod represents the code challenge method
type PKCEMethod string

const (
	// PKCEMethodPlain uses the verifier directly as the challenge
	PKCEMethodPlain PKCEMethod = "plain"
	// PKCEMethodS256 uses SHA256 hash of the verifier
	PKCEMethodS256 PKCEMethod = "S256"
)

// VerifyPKCE verifies that the code verifier matches the code challenge
func VerifyPKCE(verifier, challenge string, method PKCEMethod) bool {
	if verifier == "" || challenge == "" {
		return false
	}

	switch method {
	case PKCEMethodPlain, "":
		// Plain method or no method specified - direct comparison
		return verifier == challenge
	case PKCEMethodS256:
		// S256 method - SHA256 hash, base64url encoded
		computed := ComputeS256Challenge(verifier)
		return computed == challenge
	default:
		return false
	}
}

// ComputeS256Challenge computes the S256 code challenge from a verifier
func ComputeS256Challenge(verifier string) string {
	hash := sha256.Sum256([]byte(verifier))
	return base64URLEncode(hash[:])
}

// base64URLEncode encodes bytes to base64url without padding
func base64URLEncode(data []byte) string {
	encoded := base64.URLEncoding.EncodeToString(data)
	// Remove padding
	return strings.TrimRight(encoded, "=")
}
feat: migrate auth0mock from Node.js to Go Refactor the application to a Go-based architecture for improved performance and maintainability. Replace the Dockerfile to utilize a multi-stage build process, enhancing image efficiency. Implement comprehensive session store tests to ensure reliability and create new OAuth handlers for managing authentication efficiently. Update documentation to reflect these structural changes. 2025-12-29 16:30:37 +01:00			`package auth`

			`import (`
			`"crypto/sha256"`
			`"encoding/base64"`
			`"strings"`
			`)`

			`// PKCEMethod represents the code challenge method`
			`type PKCEMethod string`

			`const (`
			`// PKCEMethodPlain uses the verifier directly as the challenge`
			`PKCEMethodPlain PKCEMethod = "plain"`
			`// PKCEMethodS256 uses SHA256 hash of the verifier`
			`PKCEMethodS256 PKCEMethod = "S256"`
			`)`

			`// VerifyPKCE verifies that the code verifier matches the code challenge`
			`func VerifyPKCE(verifier, challenge string, method PKCEMethod) bool {`
			`if verifier == "" \|\| challenge == "" {`
			`return false`
			`}`

			`switch method {`
			`case PKCEMethodPlain, "":`
			`// Plain method or no method specified - direct comparison`
			`return verifier == challenge`
			`case PKCEMethodS256:`
			`// S256 method - SHA256 hash, base64url encoded`
			`computed := ComputeS256Challenge(verifier)`
			`return computed == challenge`
			`default:`
			`return false`
			`}`
			`}`

			`// ComputeS256Challenge computes the S256 code challenge from a verifier`
			`func ComputeS256Challenge(verifier string) string {`
			`hash := sha256.Sum256([]byte(verifier))`
			`return base64URLEncode(hash[:])`
			`}`

			`// base64URLEncode encodes bytes to base64url without padding`
			`func base64URLEncode(data []byte) string {`
			`encoded := base64.URLEncoding.EncodeToString(data)`
			`// Remove padding`
			`return strings.TrimRight(encoded, "=")`
			`}`