dewonderstruck · vamsii777 · Oct 28, 2024 · Oct 27, 2024 · Oct 28, 2024 · Oct 28, 2024
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -12,7 +12,7 @@ jobs:
   ubuntu_test:
     name: Ubuntu Build & Test
     runs-on: ubuntu-22.04
-    container: swift:5.7.3-jammy
+    container: swift:6.0
     steps:
     - uses: actions/checkout@v3
     - name: Build
@@ -22,8 +22,8 @@ jobs:
   macos_test:
     name: macOS Build & Test
     env:
-      DEVELOPER_DIR: /Applications/Xcode_14.2.app/Contents/Developer
-    runs-on: macos-12
+      DEVELOPER_DIR: /Applications/Xcode_16.0.app/Contents/Developer
+    runs-on: macos-14
     steps:
     - uses: actions/checkout@v3
     - name: Build

diff --git a/Package.swift b/Package.swift
@@ -13,12 +13,13 @@ let package = Package(
         )
     ],
     dependencies: [
-        .package(url: "https://github.com/vapor/vapor.git", from: "4.106.0")
+        .package(url: "https://github.com/vapor/vapor.git", from: "4.106.0"),
+        .package(url: "https://github.com/apple/swift-crypto.git", from: "3.8.1")
     ],
     targets: [
         .target(
             name: "VaporOAuth",
-            dependencies: [.product(name: "Vapor", package: "vapor")],
+            dependencies: [.product(name: "Vapor", package: "vapor"), .product(name: "Crypto", package: "swift-crypto")],
             swiftSettings: [
                 .enableUpcomingFeature("BareSlashRegexLiterals"),
                 .enableExperimentalFeature("StrictConcurrency=complete"),

diff --git a/Sources/VaporOAuth/DefaultImplementations/EmptyCodeManager.swift b/Sources/VaporOAuth/DefaultImplementations/EmptyCodeManager.swift
@@ -9,7 +9,9 @@ public struct EmptyCodeManager: CodeManager {
         userID: String,
         clientID: String,
         redirectURI: String,
-        scopes: [String]?
+        scopes: [String]?,
+        codeChallenge: String?,
+        codeChallengeMethod: String?
     ) throws -> String {
         return ""
     }

diff --git a/Sources/VaporOAuth/Models/OAuthCode.swift b/Sources/VaporOAuth/Models/OAuthCode.swift
@@ -7,22 +7,27 @@ public final class OAuthCode: @unchecked Sendable {
     public let userID: String
     public let expiryDate: Date
     public let scopes: [String]?
-
+    public let codeChallenge: String?
+    public let codeChallengeMethod: String?
     public var extend: [String: Any] = [:]
-
+    
     public init(
         codeID: String,
         clientID: String,
         redirectURI: String,
         userID: String,
         expiryDate: Date,
-        scopes: [String]?
+        scopes: [String]?,
+        codeChallenge: String?,
+        codeChallengeMethod: String?
     ) {
         self.codeID = codeID
         self.clientID = clientID
         self.redirectURI = redirectURI
         self.userID = userID
         self.expiryDate = expiryDate
         self.scopes = scopes
+        self.codeChallenge = codeChallenge
+        self.codeChallengeMethod = codeChallengeMethod
     }
 }
diff --git a/Sources/VaporOAuth/Protocols/AuthorizeHandler.swift b/Sources/VaporOAuth/Protocols/AuthorizeHandler.swift
@@ -13,6 +13,7 @@ public enum AuthorizationError: Error, Sendable {
     case confidentialClientTokenGrant
     case invalidRedirectURI
     case httpRedirectURI
+    case missingPKCE
 }
 
 public struct AuthorizationRequestObject: Sendable {
@@ -22,4 +23,18 @@ public struct AuthorizationRequestObject: Sendable {
     public let scope: [String]
     public let state: String?
     public let csrfToken: String
+     // PKCE parameters
+    public let codeChallenge: String?
+    public let codeChallengeMethod: String?
+
+    public init(responseType: String, clientID: String, redirectURI: URI, scope: [String], state: String?, csrfToken: String, codeChallenge: String?, codeChallengeMethod: String?) {
+        self.responseType = responseType
+        self.clientID = clientID
+        self.redirectURI = redirectURI
+        self.scope = scope
+        self.state = state
+        self.csrfToken = csrfToken
+        self.codeChallenge = codeChallenge
+        self.codeChallengeMethod = codeChallengeMethod
+    }   
 }
diff --git a/Sources/VaporOAuth/Protocols/CodeManager.swift b/Sources/VaporOAuth/Protocols/CodeManager.swift
@@ -1,6 +1,6 @@
 /// Responsible for generating and managing OAuth Codes
 public protocol CodeManager: Sendable {
-    func generateCode(userID: String, clientID: String, redirectURI: String, scopes: [String]?) async throws -> String
+    func generateCode(userID: String, clientID: String, redirectURI: String, scopes: [String]?, codeChallenge: String?, codeChallengeMethod: String?) async throws -> String
     func getCode(_ code: String) async throws -> OAuthCode?
 
     // This is explicit to ensure that the code is marked as used or deleted (it could be implied that this is done when you call

diff --git a/Sources/VaporOAuth/RouteHandlers/AuthorizeGetHandler.swift b/Sources/VaporOAuth/RouteHandlers/AuthorizeGetHandler.swift
@@ -54,10 +54,12 @@ struct AuthorizeGetHandler: Sendable {
         let csrfToken = [UInt8].random(count: 32).hex
 
         request.session.data[SessionData.csrfToken] = csrfToken
+
         let authorizationRequestObject = AuthorizationRequestObject(responseType: authRequestObject.responseType,
                                                                     clientID: authRequestObject.clientID, redirectURI: redirectURI,
                                                                     scope: authRequestObject.scopes, state: authRequestObject.state,
-                                                                    csrfToken: csrfToken)
+                                                                    csrfToken: csrfToken, codeChallenge: authRequestObject.codeChallenge,
+                                                                    codeChallengeMethod: authRequestObject.codeChallengeMethod)
 
         return try await authorizeHandler.handleAuthorizationRequest(request, authorizationRequestObject: authorizationRequestObject)
     }
@@ -98,9 +100,37 @@ struct AuthorizeGetHandler: Sendable {
             return (errorResponse, nil)
         }
 
+        let codeChallenge: String? = request.query[OAuthRequestParameters.codeChallenge]
+        let codeChallengeMethod: String? = request.query[OAuthRequestParameters.codeChallengeMethod]
+
+        // PKCE Validation
+        if let codeChallenge = codeChallenge {
+            if let codeChallengeMethod = codeChallengeMethod {
+                if !(codeChallengeMethod == "plain" || codeChallengeMethod == "S256") {
+                    // Invalid codeChallengeMethod
+                    let errorResponse = createErrorResponse(request: request,
+                                                            redirectURI: redirectURIString,
+                                                            errorType: OAuthResponseParameters.ErrorType.invalidRequest,
+                                                            errorDescription: "Invalid code challenge method",
+                                                            state: state)
+                    return (errorResponse, nil)
+                }
+            } else {
+                // codeChallengeMethod is missing
+                let errorResponse = createErrorResponse(request: request,
+                                                        redirectURI: redirectURIString,
+                                                        errorType: OAuthResponseParameters.ErrorType.invalidRequest,
+                                                        errorDescription: "Code challenge method is required when code challenge is provided",
+                                                        state: state)
+                return (errorResponse, nil)
+            }
+        }
+
         let authRequestObject = AuthorizationGetRequestObject(clientID: clientID, redirectURIString: redirectURIString,
                                                               scopes: scopes, state: state,
-                                                              responseType: responseType)
+                                                              responseType: responseType,
+                                                              codeChallenge: codeChallenge,
+                                                              codeChallengeMethod: codeChallengeMethod)
 
         return (nil, authRequestObject)
     }
@@ -128,4 +158,6 @@ struct AuthorizationGetRequestObject: Sendable {
     let scopes: [String]
     let state: String?
     let responseType: String
+    let codeChallenge: String?
+    let codeChallengeMethod: String?
 }
diff --git a/Sources/VaporOAuth/RouteHandlers/AuthorizePostHandler.swift b/Sources/VaporOAuth/RouteHandlers/AuthorizePostHandler.swift
@@ -9,6 +9,8 @@ struct AuthorizePostRequest: Sendable {
     let responseType: String
     let csrfToken: String
     let scopes: [String]?
+    let codeChallenge: String?
+    let codeChallengeMethod: String?
 }
 
 struct AuthorizePostHandler: Sendable {
@@ -49,7 +51,9 @@ struct AuthorizePostHandler: Sendable {
                     userID: requestObject.userID,
                     clientID: requestObject.clientID,
                     redirectURI: requestObject.redirectURIBaseString,
-                    scopes: requestObject.scopes
+                    scopes: requestObject.scopes,
+                    codeChallenge: requestObject.codeChallenge,
+                    codeChallengeMethod: requestObject.codeChallengeMethod
                 )
                 redirectURI += "?code=\(generatedCode)"
             } else {
@@ -107,9 +111,15 @@ struct AuthorizePostHandler: Sendable {
             scopes = nil
         }
 
+        let codeChallenge: String? = request.query[String.self, at: OAuthRequestParameters.codeChallenge]
+
+        let codeChallengeMethod: String? = request.query[String.self, at: OAuthRequestParameters.codeChallengeMethod]
+
+
         return AuthorizePostRequest(user: user, userID: userID, redirectURIBaseString: redirectURIBaseString,
                                     approveApplication: approveApplication, clientID: clientID,
-                                    responseType: responseType, csrfToken: csrfToken, scopes: scopes)
+                                    responseType: responseType, csrfToken: csrfToken, scopes: scopes,
+                                    codeChallenge: codeChallenge, codeChallengeMethod: codeChallengeMethod)
     }
 
 }
diff --git a/Sources/VaporOAuth/RouteHandlers/TokenHandlers/AuthCodeTokenHandler.swift b/Sources/VaporOAuth/RouteHandlers/TokenHandlers/AuthCodeTokenHandler.swift
@@ -1,57 +1,79 @@
 import Vapor
 
 struct AuthCodeTokenHandler {
-
+    
     let clientValidator: ClientValidator
     let tokenManager: TokenManager
     let codeManager: CodeManager
     let codeValidator = CodeValidator()
     let tokenResponseGenerator: TokenResponseGenerator
-
+    
     func handleAuthCodeTokenRequest(_ request: Request) async throws -> Response {
+        // Parameter validation
         guard let codeString: String = request.content[OAuthRequestParameters.code] else {
-            return try tokenResponseGenerator.createResponse(error: OAuthResponseParameters.ErrorType.invalidRequest,
-                                                             description: "Request was missing the 'code' parameter")
+            return try tokenResponseGenerator.createResponse(
+                error: OAuthResponseParameters.ErrorType.invalidRequest,
+                description: "Request was missing the 'code' parameter"
+            )
         }
-
+        
         guard let redirectURI: String = request.content[OAuthRequestParameters.redirectURI] else {
-            return try tokenResponseGenerator.createResponse(error: OAuthResponseParameters.ErrorType.invalidRequest,
-                                                             description: "Request was missing the 'redirect_uri' parameter")
+            return try tokenResponseGenerator.createResponse(
+                error: OAuthResponseParameters.ErrorType.invalidRequest,
+                description: "Request was missing the 'redirect_uri' parameter"
+            )
         }
-
+        
         guard let clientID: String = request.content[OAuthRequestParameters.clientID] else {
-            return try tokenResponseGenerator.createResponse(error: OAuthResponseParameters.ErrorType.invalidRequest,
-                                                             description: "Request was missing the 'client_id' parameter")
+            return try tokenResponseGenerator.createResponse(
+                error: OAuthResponseParameters.ErrorType.invalidRequest,
+                description: "Request was missing the 'client_id' parameter"
+            )
         }
-
+
+        // Client authentication
         do {
-            try await clientValidator.authenticateClient(clientID: clientID,
-                                                   clientSecret: request.content[String.self, at: OAuthRequestParameters.clientSecret],
-                                                   grantType: .authorization)
+            try await clientValidator.authenticateClient(
+                clientID: clientID,
+                clientSecret: request.content[String.self, at: OAuthRequestParameters.clientSecret],
+                grantType: .authorization
+            )
         } catch {
-            return try tokenResponseGenerator.createResponse(error: OAuthResponseParameters.ErrorType.invalidClient,
-                                                             description: "Request had invalid client credentials", status: .unauthorized)
+            return try tokenResponseGenerator.createResponse(
+                error: OAuthResponseParameters.ErrorType.invalidClient,
+                description: "Request had invalid client credentials",
+                status: .unauthorized
+            )
         }
-
+
+        // Code retrieval and all validations
         guard let code = try await codeManager.getCode(codeString),
-            codeValidator.validateCode(code, clientID: clientID, redirectURI: redirectURI) else {
-                let errorDescription = "The code provided was invalid or expired, or the redirect URI did not match"
-                return try tokenResponseGenerator.createResponse(error: OAuthResponseParameters.ErrorType.invalidGrant,
-                                                                 description: errorDescription)
+              codeValidator.validateBasicRequirements(code, clientID: clientID, redirectURI: redirectURI),
+              codeValidator.validatePKCE(code, codeVerifier: request.content[OAuthRequestParameters.codeVerifier]) else {
+            return try tokenResponseGenerator.createResponse(
+                error: OAuthResponseParameters.ErrorType.invalidGrant,
+                description: "The code provided was invalid or expired, or the redirect URI did not match"
+            )
         }
-
+
+        // Mark code as used after successful validation
         try await codeManager.codeUsed(code)
-
-        let scopes = code.scopes
+        
+        // Generate tokens
         let expiryTime = 3600
-
         let (access, refresh) = try await tokenManager.generateAccessRefreshTokens(
-            clientID: clientID, userID: code.userID,
-            scopes: scopes,
+            clientID: clientID,
+            userID: code.userID,
+            scopes: code.scopes,
             accessTokenExpiryTime: expiryTime
         )
-
-        return try tokenResponseGenerator.createResponse(accessToken: access, refreshToken: refresh, expires: Int(expiryTime),
-                                  scope: scopes?.joined(separator: " "))
+
+        // Return successful response
+        return try tokenResponseGenerator.createResponse(
+            accessToken: access,
+            refreshToken: refresh,
+            expires: Int(expiryTime),
+            scope: code.scopes?.joined(separator: " ")
+        )
     }
 }
diff --git a/Sources/VaporOAuth/Utilities/OAuthFlowType.swift b/Sources/VaporOAuth/Utilities/OAuthFlowType.swift
@@ -1,7 +1,12 @@
 public enum OAuthFlowType: String, Sendable {
     case authorization = "authorization_code"
+
+    @available(*, deprecated, message: "The Implicit Grant flow is deprecated and not recommended for security reasons. It returns access tokens in HTTP redirects without confirmation of client receipt. Native and browser-based apps should use Authorization Code flow with PKCE instead, as recommended by OAuth 2.0 Security Best Practices.")
     case implicit = "implicit"
+
+    @available(*, deprecated, message: "The Password Grant flow is deprecated and not recommended for security reasons. It is disallowed in OAuth 2.1 and exposes user credentials. Use Authorization Code flow with PKCE instead.")
     case password = "password"
+
     case clientCredentials = "client_credentials"
     case refresh = "refresh_token"
     case tokenIntrospection = "token_introspection"

diff --git a/Sources/VaporOAuth/Utilities/StringDefines.swift b/Sources/VaporOAuth/Utilities/StringDefines.swift
@@ -13,6 +13,9 @@ struct OAuthRequestParameters: Sendable {
     static let usernname = "username"
     static let csrfToken = "csrfToken"
     static let token = "token"
+    static let codeChallenge = "code_challenge"
+    static let codeChallengeMethod = "code_challenge_method"
+    static let codeVerifier = "code_verifier"
 }
 
 struct OAuthResponseParameters: Sendable {

diff --git a/Sources/VaporOAuth/Validators/CodeValidator.swift b/Sources/VaporOAuth/Validators/CodeValidator.swift
@@ -1,19 +1,32 @@
 import Foundation
+import Crypto
 
 struct CodeValidator {
-    func validateCode(_ code: OAuthCode, clientID: String, redirectURI: String) -> Bool {
-        guard code.clientID == clientID else {
-            return false
-        }
-
-        guard code.expiryDate >= Date() else {
-            return false
-        }
-
-        guard code.redirectURI == redirectURI else {
-            return false
+    /// Validates the basic OAuth code requirements (mandatory)
+    func validateBasicRequirements(_ code: OAuthCode, clientID: String, redirectURI: String) -> Bool {
+        return code.clientID == clientID &&
+               code.redirectURI == redirectURI &&
+               code.expiryDate >= Date()
+    }
+
+    /// Validates PKCE if used (optional enhancement)
+    func validatePKCE(_ code: OAuthCode, codeVerifier: String?) -> Bool {
+        // If code challenge was used in authorization request
+        if let codeChallenge = code.codeChallenge,
+           let codeChallengeMethod = code.codeChallengeMethod {
+            // Code verifier is required when code challenge was used
+            guard let verifier = codeVerifier else {
+                return false
+            }
+
+            return PKCEValidator().validate(
+                codeVerifier: verifier,
+                codeChallenge: codeChallenge,
+                codeChallengeMethod: codeChallengeMethod
+            )
         }
-
+
+        // PKCE wasn't used in authorization request, so no verification needed
         return true
     }
 }