From b39ca017c0453c7420da64d062a2aa00e27d1fd3 Mon Sep 17 00:00:00 2001 From: Griffin Smith Date: Sat, 28 May 2022 13:53:17 -0400 Subject: fix(web/panettone): Properly handle un-padded base64 in jwts The JWT spec apparently specifies that base64 strings in jwts aren't to be padded - but the common lisp base64 library doesn't know how to decode unpadded base64 (it signals a condition in that case). This adds the extra padding characters (a number of `=` characters such that the length of the string is a multiple of 4) using some FORMAT wizardry (?). Change-Id: Ic6b66f05db2699bf1f93f870f5dd614c37eccc2d Reviewed-on: https://cl.tvl.fyi/c/depot/+/5781 Tested-by: BuildkiteCI Reviewed-by: tazjin Autosubmit: grfn --- web/panettone/src/authentication.lisp | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'web/panettone') diff --git a/web/panettone/src/authentication.lisp b/web/panettone/src/authentication.lisp index 291284b41619..5c6d82e02027 100644 --- a/web/panettone/src/authentication.lisp +++ b/web/panettone/src/authentication.lisp @@ -78,6 +78,12 @@ the user, however email addresses are temporarily not available." ;; TODO(tazjin): Figure out actual displayName mapping in tokens. :displayname username))) +(defun add-missing-base64-padding (s) + "Add any missing padding characters to the (un-padded) base64 string `S', such +that it can be successfully decoded by the `BASE64' package" + ;; I apologize + (format nil "~A~v@{~A~:*~}" s (- 4 (mod (length s) 4)) "=")) + (defun fetch-token (code) "Fetches the access token on completion of user authentication through the OAuth2 endpoint and returns the resulting user object." @@ -105,5 +111,11 @@ the OAuth2 endpoint and returns the resulting user object." (access-token (cdr (assoc :access--token response))) (payload (cadr (uiop:split-string access-token :separator '(#\.)))) (claims (cl-json:decode-json-from-string - (base64:base64-string-to-string payload)))) + (base64:base64-string-to-string + ;; The JWT spec specifies that base64 strings + ;; embedded in jwts are *not* padded, but the common + ;; lisp base64 library doesn't know how to deal with + ;; that - we need to add those extra padding + ;; characters here. + (add-missing-base64-padding payload))))) (claims-to-user claims)))))) -- cgit 1.4.1