refactor: Taking into account Github issues 8 and 9

Author: AdrienGras

.cz.toml

@@ -0,0 +1,7 @@
+[tool.commitizen]
+name = "cz_conventional_commits"
+tag_format = "$version"
+version_scheme = "semver"
+version_provider = "composer"
+update_changelog_on_bump = true
+major_version_zero = true

README.md

@@ -8,12 +8,14 @@ A simple utility to use PKCE (Proof Key for Code Exchange) in PHP.
 This little utility is intended to help people using Oauth2 with PKCE in PHP. It provides a simple way to generate a code verifier, a code challenge and to validate a code verifier with a code challenge.
 
 ## Summary
+
 - [Features](#features)
 - [Installation](#installation)
 - [Usage](#usage)
 - [License](#license)
 
 ## Features
+
 - [x] Generate a code verifier
 - [x] Generate a code challenge from a given code verifier
 - [x] Generate a pair of code verifier and code challenge
@@ -22,12 +24,15 @@ This little utility is intended to help people using Oauth2 with PKCE in PHP. It
 > **Note:** All the code complies to the [RFC 7636](https://tools.ietf.org/html/rfc7636).
 
 ## Installation
+
 Using composer:
+
 ```bash
 composer require adriengras/pkce-php
 ```
 
 ## Usage
+
 ```php
 // import with composer autoloader
 use AdrienGras\PKCE\PKCE;
@@ -49,7 +54,7 @@ $pair = PKCEUtils::generateCodePair();
 $verifier = $pair['code_verifier'];
 $challenge = $pair['code_challenge'];
 // or with destructuring
-[$verifier, $challenge] = PKCEUtils::generateCodePair();
+['code_verifier' => $verifier, 'code_challenge' => $challenge] = PKCEUtils::generateCodePair();
 
 // validate a code verifier with a code challenge
 $isValid = PKCEUtils::validate($verifier, $challenge);
@@ -58,4 +63,5 @@ $isValid = PKCEUtils::validate($verifier, $challenge);
 > **Note** You can also use the test case suite as a full example on how to use this utility. You can find it in the [tests](tests) folder.
 
 ## License
+
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

cliff.toml

@@ -0,0 +1,83 @@
+# git-cliff ~ default configuration file
+# https://git-cliff.org/docs/configuration
+#
+# Lines starting with "#" are comments.
+# Configuration options are organized into tables and keys.
+# See documentation for more information on available options.
+
+[changelog]
+# template for the changelog header
+header = """
+# Changelog\n
+All notable changes to this project will be documented in this file.\n
+"""
+# template for the changelog body
+# https://keats.github.io/tera/docs/#introduction
+body = """
+{% if version %}\
+    ## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }}
+{% else %}\
+    ## [unreleased]
+{% endif %}\
+{% for group, commits in commits | group_by(attribute="group") %}
+    ### {{ group | striptags | trim | upper_first }}
+    {% for commit in commits %}
+        - {% if commit.scope %}*({{ commit.scope }})* {% endif %}\
+            {% if commit.breaking %}[**breaking**] {% endif %}\
+            {{ commit.message | upper_first }}\
+    {% endfor %}
+{% endfor %}\n
+"""
+# template for the changelog footer
+footer = """
+<!-- generated by git-cliff -->
+"""
+# remove the leading and trailing s
+trim = true
+# postprocessors
+postprocessors = [
+  # { pattern = '<REPO>', replace = "https://github.com/orhun/git-cliff" }, # replace repository URL
+]
+# render body even when there are no releases to process
+# render_always = true
+# output file path
+# output = "test.md"
+
+[git]
+# parse the commits based on https://www.conventionalcommits.org
+conventional_commits = true
+# filter out the commits that are not conventional
+filter_unconventional = true
+# process each line of a commit as an individual commit
+split_commits = false
+# regex for preprocessing the commit messages
+commit_preprocessors = [
+  # Replace issue numbers
+  #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](<REPO>/issues/${2}))"},
+  # Check spelling of the commit with https://github.com/crate-ci/typos
+  # If the spelling is incorrect, it will be automatically fixed.
+  #{ pattern = '.*', replace_command = 'typos --write-changes -' },
+]
+# regex for parsing and grouping commits
+commit_parsers = [
+  { message = "^feat", group = "<!-- 0 -->🚀 Features" },
+  { message = "^fix", group = "<!-- 1 -->🐛 Bug Fixes" },
+  { message = "^doc", group = "<!-- 3 -->📚 Documentation" },
+  { message = "^perf", group = "<!-- 4 -->⚡ Performance" },
+  { message = "^refactor", group = "<!-- 2 -->🚜 Refactor" },
+  { message = "^style", group = "<!-- 5 -->🎨 Styling" },
+  { message = "^test", group = "<!-- 6 -->🧪 Testing" },
+  { message = "^chore\\(release\\): prepare for", skip = true },
+  { message = "^chore\\(deps.*\\)", skip = true },
+  { message = "^chore\\(pr\\)", skip = true },
+  { message = "^chore\\(pull\\)", skip = true },
+  { message = "^chore|^ci", group = "<!-- 7 -->⚙️ Miscellaneous Tasks" },
+  { body = ".*security", group = "<!-- 8 -->🛡️ Security" },
+  { message = "^revert", group = "<!-- 9 -->◀️ Revert" },
+]
+# filter out the commits that are not matched by commit parsers
+filter_commits = false
+# sort the tags topologically
+topo_order = false
+# sort the commits inside sections by oldest/newest order
+sort_commits = "oldest"

composer.json

@@ -1,29 +1,29 @@
 {
-    "name": "adriengras/pkce-php",
-    "description": "A simple utility to use PKCE (Proof Key for Code Exchange) in PHP.",
-    "type": "library",
-    "license": "MIT",
-    "autoload": {
-        "psr-4": {
-            "AdrienGras\\PKCE\\": "src/"
-        }
-    },
-    "autoload-dev": {
-        "psr-4": {
-            "AdrienGras\\PKCE\\Tests\\": "tests/"
-        }
-    },
-    "authors": [
-        {
-            "name": "Adrien Gras",
-            "email": "agr@owlnext.fr"
-        }
-    ],
-    "minimum-stability": "stable",
-    "require": {
-        "php": ">=7.4"
-    },
-    "require-dev": {
-        "symfony/test-pack": "^1.1"
+  "name": "adriengras/pkce-php",
+  "description": "A simple utility to use PKCE (Proof Key for Code Exchange) in PHP.",
+  "type": "library",
+  "license": "MIT",
+  "autoload": {
+    "psr-4": {
+      "AdrienGras\\PKCE\\": "src/"
     }
+  },
+  "autoload-dev": {
+    "psr-4": {
+      "AdrienGras\\PKCE\\Tests\\": "tests/"
+    }
+  },
+  "authors": [
+    {
+      "name": "Adrien Gras",
+      "email": "agr@owlnext.fr"
+    }
+  ],
+  "minimum-stability": "stable",
+  "require": {
+    "php": ">=7.4"
+  },
+  "require-dev": {
+    "symfony/test-pack": "^1.1.0"
+  }
 }

src/PKCEUtils.php

@@ -24,49 +24,64 @@ class PKCEUtils
      */
     public const CODE_CHALLENGE_METHOD_S256 = 'S256';
 
+    // 66 characters, differs from the urlsafe base64 charset               
+    private const PKCE_VERIFIER_CHARSET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~';
+
+
     /**
-     * Generate a code verifier.
-     * @see https://tools.ietf.org/html/rfc7636#section-4.1
+     * Generate a code verifier given a length. (default: 64)
+     * @param int $length The length of the code verifier. It must be between 43 and 128.
      * @return string The code verifier.
      * @throws Exception if an appropriate source of randomness cannot be found.
+     * @see https://tools.ietf.org/html/rfc7636#section-4.1
+     * @see https://github.com/AdrienGras/pkce-php/issues/8
      */
-    public static function generateCodeVerifier(): string
+    public static function generateCodeVerifier(int $length = 64): string
     {
-        return rtrim(strtr(base64_encode(random_bytes(64)), '+/', '-_'), '=');
+        $str = "";
+
+        if ($length < 43 || $length > 128) {
+            throw new \InvalidArgumentException('The length of the code verifier must be between 43 and 128. See https://tools.ietf.org/html/rfc7636#section-4.1');
+        }
+
+        for ($i = 0; $i < $length; $i++) {
+            $str .= self::PKCE_VERIFIER_CHARSET[random_int(0, strlen(self::PKCE_VERIFIER_CHARSET) - 1)];
+        }
+
+        return $str;
     }
 
     /**
      * Derive a code challenge from a code verifier.
      * @param string $codeVerifier The code verifier to derive a code challenge from.
      * @param string $codeChallengeMethod The code challenge method to use. Use one of the constants from this class.
      * @return string The code challenge.
+     * @see https://github.com/AdrienGras/pkce-php/issues/8
      */
     public static function generateCodeChallenge(
         string $codeVerifier,
         string $codeChallengeMethod = self::CODE_CHALLENGE_METHOD_S256
-    ): string
-    {
+    ): string {
         if (false === in_array($codeChallengeMethod, self::supportedCodeChallengeMethods())) {
             throw new \InvalidArgumentException(sprintf('Code challenge method "%s" is not supported.', $codeChallengeMethod));
         }
 
         if (self::CODE_CHALLENGE_METHOD_PLAIN === $codeChallengeMethod) {
+            // quick exit, since there is no transformation
             return $codeVerifier;
         }
 
-        if (self::CODE_CHALLENGE_METHOD_S256 === $codeChallengeMethod) {
-            $codeChallengeMethod = 'sha256';
-        }
-
-        return rtrim(strtr(base64_encode(hash($codeChallengeMethod, $codeVerifier, true)), '+/', '-_'), '=');
+        $hash = hash('sha256', $codeVerifier, true);
+        return sodium_bin2base64($hash, SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
     }
 
     /**
      * Generate a code verifier and a code challenge.
      * @return array The code verifier and the code challenge.
      * @throws Exception if an appropriate source of randomness cannot be found.
      */
-    public static function generateCodePair(string $codeChallengeMethod = self::CODE_CHALLENGE_METHOD_S256): array {
+    public static function generateCodePair(string $codeChallengeMethod = self::CODE_CHALLENGE_METHOD_S256): array
+    {
         $verifier = self::generateCodeVerifier();
 
         return [
@@ -86,9 +101,8 @@ public static function validate(
         string $codeVerifier,
         string $codeChallenge,
         string $codeChallengeMethod = self::CODE_CHALLENGE_METHOD_S256
-    ): bool
-    {
-        return $codeChallenge === self::generateCodeChallenge($codeVerifier, $codeChallengeMethod);
+    ): bool {
+        return hash_equals($codeChallenge, self::generateCodeChallenge($codeVerifier, $codeChallengeMethod));
     }
 
     /**
@@ -102,5 +116,4 @@ public static function supportedCodeChallengeMethods(): array
             self::CODE_CHALLENGE_METHOD_S256,
         ];
     }
-
-}
+}