Update authorization-code-grant-type.js

Author: jankapunkt

lib/grant-types/authorization-code-grant-type.js

@@ -12,7 +12,6 @@ const Promise = require('bluebird');
 const promisify = require('promisify-any').use(Promise);
 const ServerError = require('../errors/server-error');
 const isFormat = require('@node-oauth/formats');
-const util = require('util');
 const pkce = require('../pkce/pkce');
 
 /**
@@ -113,6 +112,36 @@ class AuthorizationCodeGrantType extends AbstractGrantType {
           throw new InvalidGrantError('Invalid grant: `redirect_uri` is not a valid URI');
         }
 
+        // optional: PKCE code challenge
+
+        if (code.codeChallenge) {
+          if (!request.body.code_verifier) {
+            throw new InvalidGrantError('Missing parameter: `code_verifier`');
+          }
+
+          const hash = pkce.getHashForCodeChallenge({
+            method: code.codeChallengeMethod,
+            verifier: request.body.code_verifier
+          });
+
+          if (!hash) {
+            // notice that we assume that codeChallengeMethod is already
+            // checked at an earlier stage when being read from
+            // request.body.code_challenge_method
+            throw new ServerError('Server error: `getAuthorizationCode()` did not return a valid `codeChallengeMethod` property');
+          }
+
+          if (code.codeChallenge !== hash) {
+            throw new InvalidGrantError('Invalid grant: code verifier is invalid');
+          }
+        }
+        else {
+          if (request.body.code_verifier) {
+            // No code challenge but code_verifier was passed in.
+            throw new InvalidGrantError('Invalid grant: code verifier is invalid');
+          }
+        }
+
         return code;
       });
   }
@@ -201,4 +230,4 @@ class AuthorizationCodeGrantType extends AbstractGrantType {
  * Export constructor.
  */
 
-module.exports = AuthorizationCodeGrantType;
+module.exports = AuthorizationCodeGrantType;