Code Challenge is missing when Code Challenge Method is s256

Question

Code Challenge is missing when Code Challenge Method is s256

tansanDOTeth opened this issue 8 months ago · 0 comments

Currently, when setting the challenge method to s256, it does not respect the code_challenge provided. For this reason, I won't be able to send a code_verifier later to the oauth authorizer for a proper token exchange.

Specific to the code here: https://github.com/twitterdev/twitter-api-typescript-sdk/blob/0d12a20a76d6dd9c346decf9cc80bc611975d43f/src/OAuth2User.ts#L45C2-L58C7

It should be:

export type GenerateAuthUrlOptions =
    {
      /** A random string you provide to verify against CSRF attacks.  The length of this string can be up to 500 characters. */
      state: string;
      /** A PKCE parameter, a random secret for each request you make. */
      code_challenge: string;
      /** Specifies the method you are using to make a request (S256 OR plain). */
      code_challenge_method: "plain" | "s256";
    };

Related Spec:
https://www.rfc-editor.org/rfc/rfc7636#section-4.6