Take advantage of platform features in Microsoft Authentication extension (microsoft#166066)

Author: TylerLeonhardt

extensions/microsoft-authentication/extension-browser.webpack.config.js

@@ -25,8 +25,10 @@ module.exports = withBrowserDefaults({
 	},
 	resolve: {
 		alias: {
-			'./env/node': path.resolve(__dirname, 'src/env/browser'),
-			'./authServer': path.resolve(__dirname, 'src/env/browser/authServer'),
+			'./node/crypto': path.resolve(__dirname, 'src/browser/crypto'),
+			'./node/authServer': path.resolve(__dirname, 'src/browser/authServer'),
+			'./node/buffer': path.resolve(__dirname, 'src/browser/buffer'),
+			'./node/fetch': path.resolve(__dirname, 'src/browser/fetch'),
 		}
 	}
 });

extensions/microsoft-authentication/package.json

@@ -55,12 +55,7 @@
     "@types/uuid": "8.0.0"
   },
   "dependencies": {
-    "buffer": "^5.6.0",
     "node-fetch": "2.6.7",
-    "randombytes": "~2.1.0",
-    "sha.js": "2.4.11",
-    "stream": "0.0.2",
-    "uuid": "^8.2.0",
     "@vscode/extension-telemetry": "0.7.0-preview"
   },
   "repository": {

extensions/microsoft-authentication/src/AADHelper.ts

@@ -3,18 +3,16 @@
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-import * as randomBytes from 'randombytes';
-import * as querystring from 'querystring';
-import { Buffer } from 'buffer';
 import * as vscode from 'vscode';
-import { v4 as uuid } from 'uuid';
-import fetch, { Response } from 'node-fetch';
+import * as querystring from 'querystring';
+import path = require('path');
 import Logger from './logger';
-import { isSupportedEnvironment, toBase64UrlEncoding } from './utils';
-import { sha256 } from './env/node/sha256';
+import { isSupportedEnvironment } from './utils';
+import { generateCodeChallenge, generateCodeVerifier, randomUUID } from './cryptoUtils';
 import { BetterTokenStorage, IDidChangeInOtherWindowEvent } from './betterSecretStorage';
-import { LoopbackAuthServer } from './authServer';
-import path = require('path');
+import { LoopbackAuthServer } from './node/authServer';
+import { base64Decode } from './node/buffer';
+import { fetching } from './node/fetch';
 
 const redirectUrl = 'https://vscode.dev/redirect';
 const loginEndpointUrl = 'https://login.microsoftonline.com/';
@@ -295,8 +293,8 @@ export class AzureActiveDirectoryService {
 	}
 
 	private async createSessionWithLocalServer(scopeData: IScopeData) {
-		const codeVerifier = toBase64UrlEncoding(randomBytes(32).toString('base64'));
-		const codeChallenge = toBase64UrlEncoding(await sha256(codeVerifier));
+		const codeVerifier = generateCodeVerifier();
+		const codeChallenge = await generateCodeChallenge(codeVerifier);
 		const qs = new URLSearchParams({
 			response_type: 'code',
 			response_mode: 'query',
@@ -328,15 +326,15 @@ export class AzureActiveDirectoryService {
 
 	private async createSessionWithoutLocalServer(scopeData: IScopeData): Promise<vscode.AuthenticationSession> {
 		let callbackUri = await vscode.env.asExternalUri(vscode.Uri.parse(`${vscode.env.uriScheme}://vscode.microsoft-authentication`));
-		const nonce = randomBytes(16).toString('base64');
+		const nonce = generateCodeVerifier();
 		const callbackQuery = new URLSearchParams(callbackUri.query);
 		callbackQuery.set('nonce', encodeURIComponent(nonce));
 		callbackUri = callbackUri.with({
 			query: callbackQuery.toString()
 		});
 		const state = encodeURIComponent(callbackUri.toString(true));
-		const codeVerifier = toBase64UrlEncoding(randomBytes(32).toString('base64'));
-		const codeChallenge = toBase64UrlEncoding(await sha256(codeVerifier));
+		const codeVerifier = generateCodeVerifier();
+		const codeChallenge = await generateCodeChallenge(codeVerifier);
 		const signInUrl = `${loginEndpointUrl}${scopeData.tenant}/oauth2/v2.0/authorize`;
 		const oauthStartQuery = new URLSearchParams({
 			response_type: 'code',
@@ -467,10 +465,10 @@ export class AzureActiveDirectoryService {
 
 		try {
 			if (json.id_token) {
-				claims = JSON.parse(Buffer.from(json.id_token.split('.')[1], 'base64').toString());
+				claims = JSON.parse(base64Decode(json.id_token.split('.')[1]));
 			} else {
 				Logger.info('Attempting to parse access_token instead since no id_token was included in the response.');
-				claims = JSON.parse(Buffer.from(json.access_token.split('.')[1], 'base64').toString());
+				claims = JSON.parse(base64Decode(json.access_token.split('.')[1]));
 			}
 		} catch (e) {
 			throw e;
@@ -491,7 +489,7 @@ export class AzureActiveDirectoryService {
 			idToken: json.id_token,
 			refreshToken: json.refresh_token,
 			scope: scopeData.scopeStr,
-			sessionId: existingId || `${id}/${uuid()}`,
+			sessionId: existingId || `${id}/${randomUUID()}`,
 			account: {
 				label,
 				id
@@ -739,10 +737,10 @@ export class AzureActiveDirectoryService {
 		let attempts = 0;
 		while (attempts <= 3) {
 			attempts++;
-			let result: Response | undefined;
+			let result;
 			let errorMessage: string | undefined;
 			try {
-				result = await fetch(endpoint, {
+				result = await fetching(endpoint, {
 					method: 'POST',
 					headers: {
 						'Content-Type': 'application/x-www-form-urlencoded',

extensions/microsoft-authentication/src/env/browser/authServer.ts renamed to extensions/microsoft-authentication/src/browser/authServer.ts

@@ -3,9 +3,11 @@
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-'use strict';
+export function base64Encode(text: string): string {
+	return btoa(text);
+}
 
-export async function sha256(s: string | Uint8Array): Promise<string> {
-	const createHash = require('sha.js');
-	return createHash('sha256').update(s).digest('base64');
+export function base64Decode(text: string): string {
+	const data = atob(text);
+	return data;
 }

extensions/microsoft-authentication/src/env/browser/sha256.ts renamed to extensions/microsoft-authentication/src/browser/buffer.ts

@@ -3,8 +3,4 @@
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
-'use strict';
-
-export async function sha256(s: string | Uint8Array): Promise<string> {
-	return (require('crypto')).createHash('sha256').update(s).digest('base64');
-}
+export const crypto = globalThis.crypto;

extensions/microsoft-authentication/src/env/node/sha256.ts renamed to extensions/microsoft-authentication/src/browser/crypto.ts

@@ -0,0 +1,6 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+export const fetching = fetch;

extensions/microsoft-authentication/src/browser/fetch.ts

@@ -0,0 +1,45 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+import { base64Encode } from './node/buffer';
+import { crypto } from './node/crypto';
+
+export function randomUUID() {
+	return crypto.randomUUID();
+}
+
+function dec2hex(dec: number): string {
+	return ('0' + dec.toString(16)).slice(-2);
+}
+
+export function generateCodeVerifier(): string {
+	const array = new Uint32Array(56 / 2);
+	crypto.getRandomValues(array);
+	return Array.from(array, dec2hex).join('');
+}
+
+function sha256(plain: string | undefined) {
+	const encoder = new TextEncoder();
+	const data = encoder.encode(plain);
+	return crypto.subtle.digest('SHA-256', data);
+}
+
+function base64urlencode(a: ArrayBuffer) {
+	let str = '';
+	const bytes = new Uint8Array(a);
+	const len = bytes.byteLength;
+	for (let i = 0; i < len; i++) {
+		str += String.fromCharCode(bytes[i]);
+	}
+	return base64Encode(str)
+		.replace(/\+/g, '-')
+		.replace(/\//g, '_')
+		.replace(/=+$/, '');
+}
+
+export async function generateCodeChallenge(v: string) {
+	const hashed = await sha256(v);
+	const base64encoded = base64urlencode(hashed);
+	return base64encoded;
+}

extensions/microsoft-authentication/src/cryptoUtils.ts

@@ -0,0 +1,12 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+export function base64Encode(text: string): string {
+	return Buffer.from(text, 'binary').toString('base64');
+}
+
+export function base64Decode(text: string): string {
+	return Buffer.from(text, 'base64').toString('utf8');
+}