From 3868c4c3a55c178de03124650434c0b1f6d09518 Mon Sep 17 00:00:00 2001
From: Louis Chan <louischan@oursky.com>
Date: Fri, 12 Apr 2024 18:10:51 +0800
Subject: [PATCH] Follow RFC7636 to generate code verifier

---
 .../main/java/com/oursky/authgear/AuthgearCore.kt  | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/sdk/src/main/java/com/oursky/authgear/AuthgearCore.kt b/sdk/src/main/java/com/oursky/authgear/AuthgearCore.kt
index 5766cd03..ab7058ad 100644
--- a/sdk/src/main/java/com/oursky/authgear/AuthgearCore.kt
+++ b/sdk/src/main/java/com/oursky/authgear/AuthgearCore.kt
@@ -635,20 +635,20 @@ internal class AuthgearCore(
     }
 
     private fun generateCodeVerifier(): Verifier {
+        // https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
+        // It is RECOMMENDED that the output of
+        // a suitable random number generator be used to create a 32-octet
+        // sequence.  The octet sequence is then base64url-encoded to produce a
+        // 43-octet URL safe string to use as the code verifier.
         val bytes = ByteArray(32)
         SecureRandom().nextBytes(bytes)
-        val verifier = bytes.joinToString(separator = "") {
-            it.toString(16).padStart(2, '0')
-        }
+        val verifier = base64UrlEncode(bytes)
         return Verifier(verifier, computeCodeChallenge(verifier))
     }
 
     private fun computeCodeChallenge(verifier: String): String {
         val hash = sha256(verifier)
-        return String(
-            Base64.encode(hash, Base64.URL_SAFE or Base64.NO_PADDING or Base64.NO_WRAP),
-            StandardCharsets.UTF_8
-        )
+        return base64UrlEncode(hash)
     }
 
     private fun sha256(input: String): ByteArray {