From fb5263a7e4270693258a22abef2f13ec12a959a4 Mon Sep 17 00:00:00 2001
From: Mauro Amico <mauro.amico@gmail.com>
Date: Thu, 30 May 2024 12:36:51 +0200
Subject: [PATCH] fix code_verifier length

---
 spid_cie_oidc/relying_party/utils.py | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/spid_cie_oidc/relying_party/utils.py b/spid_cie_oidc/relying_party/utils.py
index cf93c141..5ab13932 100644
--- a/spid_cie_oidc/relying_party/utils.py
+++ b/spid_cie_oidc/relying_party/utils.py
@@ -2,9 +2,8 @@
 import json
 import hashlib
 import logging
-import os
 import random
-import re
+import secrets
 import string
 import urllib
 
@@ -34,10 +33,11 @@ def random_string(n=32):
 def get_pkce(code_challenge_method: str = "S256", code_challenge_length: int = 64):
     hashers = {"S256": hashlib.sha256}
 
-    code_verifier_length = random.randint(43, 128) # nosec - B311
-    code_verifier = base64.urlsafe_b64encode(os.urandom(code_verifier_length)).decode("utf-8")
-    code_verifier = re.sub("[^a-zA-Z0-9]+", "", code_verifier)
-
+    # https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
+    code_verifier_length = secrets.choice(range(43, 128 + 1))
+    alpha = string.ascii_letters + string.digits + "-._~"
+    code_verifier = "".join([secrets.choice(alpha) for _ in range(code_verifier_length)])
+    
     code_challenge = hashers.get(code_challenge_method)(
         code_verifier.encode("utf-8")
     ).digest()