diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-15 03:35:49 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-15 03:35:49 +0000 |
| commit | d8bbc7858622b6d9c278469aab701ca0b609cddf (patch) | |
| tree | eff41dc61d9f714852212739e6b3738b82a2af87 /services/fxaccounts/FxAccountsOAuth.sys.mjs | |
| parent | Releasing progress-linux version 125.0.3-1~progress7.99u1. (diff) | |
| download | firefox-d8bbc7858622b6d9c278469aab701ca0b609cddf.tar.xz firefox-d8bbc7858622b6d9c278469aab701ca0b609cddf.zip | |
Merging upstream version 126.0.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'services/fxaccounts/FxAccountsOAuth.sys.mjs')
| -rw-r--r-- | services/fxaccounts/FxAccountsOAuth.sys.mjs | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/services/fxaccounts/FxAccountsOAuth.sys.mjs b/services/fxaccounts/FxAccountsOAuth.sys.mjs index 1935decff2..e8f186d1f7 100644 --- a/services/fxaccounts/FxAccountsOAuth.sys.mjs +++ b/services/fxaccounts/FxAccountsOAuth.sys.mjs @@ -22,6 +22,7 @@ export const ERROR_INVALID_STATE = "INVALID_STATE"; export const ERROR_SYNC_SCOPE_NOT_GRANTED = "ERROR_SYNC_SCOPE_NOT_GRANTED"; export const ERROR_NO_KEYS_JWE = "ERROR_NO_KEYS_JWE"; export const ERROR_OAUTH_FLOW_ABANDONED = "ERROR_OAUTH_FLOW_ABANDONED"; +export const ERROR_INVALID_SCOPED_KEYS = "ERROR_INVALID_SCOPED_KEYS"; /** * Handles all logic and state related to initializing, and completing OAuth flows @@ -32,14 +33,16 @@ export const ERROR_OAUTH_FLOW_ABANDONED = "ERROR_OAUTH_FLOW_ABANDONED"; export class FxAccountsOAuth { #flow; #fxaClient; + #fxaKeys; /** * Creates a new FxAccountsOAuth * * @param { Object } fxaClient: The fxa client used to send http request to the oauth server */ - constructor(fxaClient) { + constructor(fxaClient, fxaKeys) { this.#flow = {}; this.#fxaClient = fxaClient; + this.#fxaKeys = fxaKeys; } /** @@ -131,8 +134,10 @@ export class FxAccountsOAuth { // Generate a 43 byte code verifier for PKCE, in accordance with // https://datatracker.ietf.org/doc/html/rfc7636#section-7.1 which recommends a // 43-octet URL safe string - const codeVerifier = new Uint8Array(43); + // The byte array is 32 bytes + const codeVerifier = new Uint8Array(32); crypto.getRandomValues(codeVerifier); + // When base64 encoded, it is 43 bytes const codeVerifierB64 = ChromeUtils.base64URLEncode(codeVerifier, { pad: false, }); @@ -147,7 +152,7 @@ export class FxAccountsOAuth { // Generate a public, private key pair to be used during the oauth flow // to encrypt scoped-keys as they roundtrip through the auth server const ECDH_KEY = { name: "ECDH", namedCurve: "P-256" }; - const key = await crypto.subtle.generateKey(ECDH_KEY, true, ["deriveKey"]); + const key = await crypto.subtle.generateKey(ECDH_KEY, false, ["deriveKey"]); const publicKey = await crypto.subtle.exportKey("jwk", key.publicKey); const privateKey = key.privateKey; @@ -205,6 +210,9 @@ export class FxAccountsOAuth { scopedKeys = JSON.parse( new TextDecoder().decode(await lazy.jwcrypto.decryptJWE(keys_jwe, key)) ); + if (!this.#fxaKeys.validScopedKeys(scopedKeys)) { + throw new Error(ERROR_INVALID_SCOPED_KEYS); + } } // We make sure no other flow snuck in, and completed before we did |