Skip to content

IOS - Base64URLSafe String replace error #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jawa-the-hutt opened this issue Dec 13, 2019 · 0 comments · May be fixed by #74
Open

IOS - Base64URLSafe String replace error #73

jawa-the-hutt opened this issue Dec 13, 2019 · 0 comments · May be fixed by #74

Comments

@jawa-the-hutt
Copy link
Contributor

jawa-the-hutt commented Dec 13, 2019
edited
Loading

For IOS, we have been getting intermittent failures to login. You may go 50 logins without an issue and then have a failure or it could be one every other, or several in a row before working again. It will pop the Safari browser to login, enter in your credentials, then Safari goes away and then nothing happens. Nothing is received back from Auth0 as there is no transmission of data at all.

In troubleshooting this out, what is happening is a false value is being returned here:

nativescript-auth0/src/ios/authSession.ts

Lines 57 to 59 in 738de06

if (has === false) {
return false;
}

It's coming from a check done here:

nativescript-auth0/src/ios/authSession.ts

Lines 76 to 78 in 738de06

private has(state: string | undefined, items: { [key: string]: string }): boolean {
return state === null || items["state"] === state;
}

In logging this line, when we were getting failures, there was an empty space in the string for one of the states, while the other one had a -. Moving further back in the code, the state value was coming in with a %20 where the space was at.

Basically the comparison of the state value was failing. In further tracing down why this was the case, I determined that the code here is the issue:

nativescript-auth0/src/ios/utils.ts

Lines 25 to 28 in 738de06

return data.base64EncodedStringWithOptions(0)
.replace('+', '-')
.replace('/', '_')
.replace('=', '');

What is going on is the replace function as written will only every replace the first value in the string it comes across. So, every so often, there will end up multiple + signs in the state string. The replace function is only replacing the first + sign and leaving all subsequent plus signs in place. Here are some examples of the before and after.

9kDoRw+gMt6Bd4e9uJ3dZcDIn2wB4kFAgQEP36/+7fA=
9kDoRw-gMt6Bd4e9uJ3dZcDIn2wB4kFAgQEP36_+7fA

ij5+mTIJ2HtnFz+xsOJ9Zh14miCHBtAkxtkXaCBpWpA=
ij5-mTIJ2HtnFz+xsOJ9Zh14miCHBtAkxtkXaCBpWpA

I2+o6RKY09SvQwLtNR++j+trqSMWrcQnOlUPc4D1EqM=
I2-o6RKY09SvQwLtNR++j+trqSMWrcQnOlUPc4D1EqM

3KA9/pFkVFWThNq/2TBspj9Z0q7n/rG8nyvb1CvfBWY=
3KA9_pFkVFWThNq/2TBspj9Z0q7n/rG8nyvb1CvfBWY

Incidentally, it is doing this for each of the three replace functions, but the only time the %20 and subsequent empty character happens and causes the failure is when there are multiple + signs.

The fix is the change the replace functions to this:

 return data.base64EncodedStringWithOptions(0)
    .replace(/\+/g, '-')
    .replace(/\//g, '_')
    .replace(/=/g, '');

I'll have a PR in the next few hours.

Which platform(s) does your issue occur on?

  • iOS
  • any
  • both emulator and device

Please, tell us how to recreate the issue in as much detail as possible.

Describe the steps to reproduce it.

Is there any code involved?

  • provide a code example to recreate the problem
  • (EVEN BETTER) provide a .zip with application or refer to a repository with application where the problem is reproducible.
@jawa-the-hutt jawa-the-hutt linked a pull request Dec 14, 2019 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix base64UrlSafe string replacement bug jawa-the-hutt/nativescript-auth0
1 participant
@jawa-the-hutt