move nonce() method from OAuth1Provider to OAuthProvider

codemasher · codemasher · commit 21236d751e63 · 2024-03-22T00:30:30.000+01:00
diff --git a/src/Core/OAuth1Provider.php b/src/Core/OAuth1Provider.php
@@ -14,7 +14,7 @@
 use chillerlan\HTTP\Utils\{MessageUtil, QueryUtil};
 use chillerlan\OAuth\Providers\ProviderException;
 use Psr\Http\Message\{RequestInterface, ResponseInterface, UriInterface};
-use function array_merge, base64_encode, hash_hmac, implode, random_bytes, sodium_bin2hex, sprintf, strtoupper, time;
+use function array_merge, base64_encode, hash_hmac, implode, sprintf, strtoupper, time;
 
 /**
  * Implements an abstract OAuth1 provider with all methods required by the OAuth1Interface.
@@ -114,15 +114,6 @@ protected function parseTokenResponse(ResponseInterface $response, bool $checkCa
 		return $token;
 	}
 
-	/**
-	 * returns a 32 byte random string (in hexadecimal representation) for use as a nonce
-	 *
-	 * @see https://datatracker.ietf.org/doc/html/rfc5849#section-3.3
-	 */
-	protected function nonce():string{
-		return sodium_bin2hex(random_bytes(32));
-	}
-
 	/**
 	 * Generates a request signature
 	 *
diff --git a/src/Core/OAuth2Provider.php b/src/Core/OAuth2Provider.php
@@ -298,7 +298,7 @@ public function setState(array $params):array{
 		}
 
 		if(!isset($params['state'])){
-			$params['state'] = sha1(random_bytes(256));
+			$params['state'] = $this->nonce();
 		}
 
 		$this->storage->storeCSRFState($params['state'], $this->serviceName);
diff --git a/src/Core/OAuthProvider.php b/src/Core/OAuthProvider.php
@@ -24,7 +24,7 @@
 use Psr\Log\{LoggerInterface, NullLogger};
 use ReflectionClass;
 use function array_merge, array_shift, explode, implode, in_array, is_array, is_string,
-	json_encode, ltrim, rtrim, sprintf, str_starts_with, strtolower;
+	json_encode, ltrim, random_bytes, rtrim, sodium_bin2hex, sprintf, str_starts_with, strtolower;
 use const PHP_QUERY_RFC1738;
 
 /**
@@ -235,6 +235,16 @@ protected function cleanBodyParams(iterable $params):array{
 		return QueryUtil::cleanParams($params, QueryUtil::BOOLEANS_AS_BOOL, true);
 	}
 
+	/**
+	 * returns a 32 byte random string (in hexadecimal representation) for use as a nonce
+	 *
+	 * @see https://datatracker.ietf.org/doc/html/rfc5849#section-3.3
+	 * @see https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
+	 */
+	protected function nonce(int $bytes = 32):string{
+		return sodium_bin2hex(random_bytes($bytes));
+	}
+
 	/**
 	 * @inheritDoc
 	 * @throws \chillerlan\OAuth\Core\UnauthorizedAccessException

Original file line number	Diff line number	Diff line change
`@@ -298,7 +298,7 @@ public function setState(array $params):array{`
`298`	`298`	`}`
`299`	`299`
`300`	`300`	`if(!isset($params['state'])){`
`301`		`- $params['state'] = sha1(random_bytes(256));`
	`301`	`+ $params['state'] = $this->nonce();`
`302`	`302`	`}`
`303`	`303`
`304`	`304`	`$this->storage->storeCSRFState($params['state'], $this->serviceName);`