feat: remove padding from base64 encoded token (#26)

birme · web-flow · commit 853317b531f1 · 2025-03-26T10:41:05.000+01:00
* feat: remove padding from base64 encoded token

* fix: no padding on catif renew
diff --git a/src/index.test.ts b/src/index.test.ts
@@ -183,6 +183,53 @@ describe('CAT', () => {
     });
   });
 
+  test('can generate a token with no padding', async () => {
+    const generator = new CAT({
+      keys: {
+        Symmetric256: Buffer.from(
+          '403697de87af64611c1d32a05dab0fe1fcb715a86ab435f1ec99192d79569388',
+          'hex'
+        )
+      }
+    });
+    const base64encoded = await generator.generateFromJson(
+      {
+        iss: 'eyevinn',
+        exp: 1742984408,
+        iat: 1742980808,
+        cti: '66400ca63ab2c267cc0d874cc5f9a378',
+        catv: 1
+      },
+      {
+        type: 'mac',
+        alg: 'HS256',
+        kid: 'Symmetric256'
+      }
+    );
+    console.log(base64encoded);
+    expect(base64encoded).not.toContain('=');
+    const validator = new CAT({
+      keys: {
+        Symmetric256: Buffer.from(
+          '403697de87af64611c1d32a05dab0fe1fcb715a86ab435f1ec99192d79569388',
+          'hex'
+        )
+      }
+    });
+    const result = await validator.validate(base64encoded!, 'mac', {
+      issuer: 'eyevinn'
+    });
+    expect(result.error).not.toBeDefined();
+    expect(result.cat).toBeDefined();
+    expect(result.cat!.claims).toEqual({
+      iss: 'eyevinn',
+      exp: 1742984408,
+      iat: 1742980808,
+      cti: '66400ca63ab2c267cc0d874cc5f9a378',
+      catv: 1
+    });
+  });
+
   test('can validate a MAC:ed token with standard claims', async () => {
     const base64encoded =
       '0YRDoQEFoQRMU3ltbWV0cmljMjU2eDZkOTAxMDNhMTAxNzU2MzZmNjE3MDNhMmYyZjYxNzMyZTY1Nzg2MTZkNzA2YzY1MmU2MzZmNmRYIDL8dIteq8pMXXX9oL4eo2NX1kQUaselV6p/JHSEVXWX';
diff --git a/src/index.ts b/src/index.ts
@@ -4,7 +4,7 @@ import {
   CommonAccessTokenFactory
 } from './cat';
 import { KeyNotFoundError } from './errors';
-import { generateRandomHex, toBase64 } from './util';
+import { generateRandomHex, toBase64NoPadding } from './util';
 
 export { CommonAccessToken } from './cat';
 export { CommonAccessTokenRenewal } from './catr';
@@ -239,7 +239,7 @@ export class CAT {
       if (!cat.raw) {
         throw new Error('Failed to MAC token');
       }
-      return toBase64(cat.raw);
+      return toBase64NoPadding(cat.raw);
     }
   }
 
@@ -295,7 +295,7 @@ export class CAT {
       if (!cat.raw) {
         throw new Error('Failed to MAC token');
       }
-      return toBase64(cat.raw);
+      return toBase64NoPadding(cat.raw);
     }
   }
 
@@ -329,6 +329,6 @@ export class CAT {
     if (!newCat.raw) {
       throw new Error('Failed to MAC token');
     }
-    return toBase64(newCat.raw);
+    return toBase64NoPadding(newCat.raw);
   }
 }
diff --git a/src/util.ts b/src/util.ts
@@ -24,3 +24,13 @@ export function toHex(input: Buffer): string {
     .map((byte) => byte.toString(16).padStart(2, '0'))
     .join('');
 }
+
+/**
+ * Convert a buffer to base64 string without padding
+ * @param input Buffer to convert
+ * @returns Base64 string without padding
+ */
+export function toBase64NoPadding(input: Buffer): string {
+  const base64 = toBase64(input);
+  return base64.replace(/=+$/, '');
+}
diff --git a/src/validators/http.ts b/src/validators/http.ts
@@ -20,6 +20,7 @@ import { CommonAccessTokenDict, CommonAccessTokenFactory } from '../cat';
 import { ICTIStore } from '../stores/interface';
 import { ITokenLogger } from '../loggers/interface';
 import { CatIfDictValue } from '../catif';
+import { toBase64NoPadding } from '../util';
 
 interface HttpValidatorKey {
   kid: string;
@@ -388,7 +389,7 @@ export class HttpValidator {
                 this.opts.alg || 'HS256',
                 { addCwtTag: true }
               );
-              const newToken = newCat.raw?.toString('base64');
+              const newToken = toBase64NoPadding(newCat.raw!);
               const encodedToken = encodeURIComponent(newToken!);
               const newUrl = new URL(value[header][0] + encodedToken);
               response.setHeader(header, newUrl.toString());

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ import {`
`4`	`4`	`CommonAccessTokenFactory`
`5`	`5`	`} from './cat';`
`6`	`6`	`import { KeyNotFoundError } from './errors';`
`7`		`-import { generateRandomHex, toBase64 } from './util';`
	`7`	`+import { generateRandomHex, toBase64NoPadding } from './util';`
`8`	`8`
`9`	`9`	`export { CommonAccessToken } from './cat';`
`10`	`10`	`export { CommonAccessTokenRenewal } from './catr';`
`@@ -239,7 +239,7 @@ export class CAT {`
`239`	`239`	`if (!cat.raw) {`
`240`	`240`	`throw new Error('Failed to MAC token');`
`241`	`241`	`}`
`242`		`- return toBase64(cat.raw);`
	`242`	`+ return toBase64NoPadding(cat.raw);`
`243`	`243`	`}`
`244`	`244`	`}`
`245`	`245`
`@@ -295,7 +295,7 @@ export class CAT {`
`295`	`295`	`if (!cat.raw) {`
`296`	`296`	`throw new Error('Failed to MAC token');`
`297`	`297`	`}`
`298`		`- return toBase64(cat.raw);`
	`298`	`+ return toBase64NoPadding(cat.raw);`
`299`	`299`	`}`
`300`	`300`	`}`
`301`	`301`
`@@ -329,6 +329,6 @@ export class CAT {`
`329`	`329`	`if (!newCat.raw) {`
`330`	`330`	`throw new Error('Failed to MAC token');`
`331`	`331`	`}`
`332`		`- return toBase64(newCat.raw);`
	`332`	`+ return toBase64NoPadding(newCat.raw);`
`333`	`333`	`}`
`334`	`334`	`}`