feat: add PKCE utility functions for OIDC auth

Add generateCodeVerifier() and generateCodeChallenge() helpers that
implement RFC 7636 PKCE using the Web Crypto API.

Ref: #2410
This commit is contained in:
kolaente 2026-04-02 18:55:04 +02:00
parent 6aa7217dad
commit fb8e4ea741
1 changed files with 30 additions and 0 deletions

View File

@ -0,0 +1,30 @@
/**
* Generate a cryptographically random code_verifier (43-128 chars, RFC 7636 Section 4.1).
* Uses unreserved characters: [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
*/
export function generateCodeVerifier(): string {
const array = new Uint8Array(32)
crypto.getRandomValues(array)
return base64UrlEncode(array)
}
/**
* Compute code_challenge = BASE64URL(SHA256(code_verifier)) (RFC 7636 Section 4.2).
*/
export async function generateCodeChallenge(verifier: string): Promise<string> {
const encoder = new TextEncoder()
const data = encoder.encode(verifier)
const digest = await crypto.subtle.digest('SHA-256', data)
return base64UrlEncode(new Uint8Array(digest))
}
function base64UrlEncode(bytes: Uint8Array): string {
let binary = ''
for (const byte of bytes) {
binary += String.fromCharCode(byte)
}
return btoa(binary)
.replace(/\+/g, '-')
.replace(/\//g, '_')
.replace(/=+$/, '')
}