impl: pixy secure code generator

fioan89 · fioan89 · commit 72a902fe7ee1 · 2025-10-13T23:52:33.000+03:00
Code Toolbox plugin should protect against authorization code interception
attacks by making use of the PKCE security extension which involves
a cryptographically random string (128 characters) known as code verifier
and a code challenge - derived from code verifier using the S256 challenge method.
diff --git a/src/main/kotlin/com/coder/toolbox/oauth/PKCEGenerator.kt b/src/main/kotlin/com/coder/toolbox/oauth/PKCEGenerator.kt
@@ -0,0 +1,42 @@
+package com.coder.toolbox.oauth
+
+import java.security.MessageDigest
+import java.security.SecureRandom
+import java.util.Base64
+
+private const val CODE_VERIFIER_LENGTH = 128
+
+/**
+ * Generates OAuth2 PKCE code verifier and code challenge
+ */
+object PKCEGenerator {
+
+    /**
+     * Generates a cryptographically random code verifier 128 chars in size
+     * @return Base64 URL-encoded code verifier
+     */
+    fun generateCodeVerifier(): String {
+        val secureRandom = SecureRandom()
+        val bytes = ByteArray(CODE_VERIFIER_LENGTH)
+        secureRandom.nextBytes(bytes)
+
+        return Base64.getUrlEncoder()
+            .withoutPadding()
+            .encodeToString(bytes)
+            .take(CODE_VERIFIER_LENGTH)
+    }
+
+    /**
+     * Generates code challenge from code verifier using S256 method
+     * @param codeVerifier The code verifier string
+     * @return Base64 URL-encoded SHA-256 hash of the code verifier
+     */
+    fun generateCodeChallenge(codeVerifier: String): String {
+        val digest = MessageDigest.getInstance("SHA-256")
+        val hash = digest.digest(codeVerifier.toByteArray(Charsets.US_ASCII))
+
+        return Base64.getUrlEncoder()
+            .withoutPadding()
+            .encodeToString(hash)
+    }
+}
