[Add] PKCE 체크 및 관련 기능 구현, Playground 디렉토리 정리

2025-05-26 00:56:03 +09:00 · 2025-05-26 00:56:03 +09:00 · 0a24c5594d
commit 0a24c5594d
parent ba20dd9007
13 changed files with 164 additions and 140 deletions
--- a/playground/.gitignore
+++ b/playground/.gitignore
@ -1,34 +0,0 @@
-# dependencies (bun install)
-node_modules
-
-# output
-out
-dist
-*.tgz
-
-# code coverage
-coverage
-*.lcov
-
-# logs
-logs
-_.log
-report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
-
-# dotenv environment variable files
-.env
-.env.development.local
-.env.test.local
-.env.production.local
-.env.local
-
-# caches
-.eslintcache
-.cache
-*.tsbuildinfo
-
-# IntelliJ based IDEs
-.idea
-
-# Finder (MacOS) folder config
-.DS_Store
--- a/playground/PKCEDowngrade/.gitignore
+++ b/playground/PKCEDowngrade/.gitignore
@ -0,0 +1,2 @@
+# deps
+node_modules/
--- a/playground/PKCEDowngrade/README.md
+++ b/playground/PKCEDowngrade/README.md
@ -0,0 +1,11 @@
+To install dependencies:
+```sh
+bun install
+```
+
+To run:
+```sh
+bun run dev
+```
+
+open http://localhost:3000
--- a/playground/PKCEDowngrade/bun.lock
+++ b/playground/PKCEDowngrade/bun.lock
@ -2,13 +2,13 @@
  "lockfileVersion": 1,
  "workspaces": {
    "": {
-      "name": "playground",
+      "name": "PKCEDowngrade",
+      "dependencies": {
+        "hono": "^4.7.10",
+      },
      "devDependencies": {
        "@types/bun": "latest",
      },
-      "peerDependencies": {
-        "typescript": "^5",
-      },
    },
  },
  "packages": {
@ -18,7 +18,7 @@

    "bun-types": ["bun-types@1.2.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-Kuh4Ub28ucMRWeiUUWMHsT9Wcbr4H3kLIO72RZZElSDxSu7vpetRvxIUDUaW6QtaIeixIpm7OXtNnZPf82EzwA=="],

-    "typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="],
+    "hono": ["hono@4.7.10", "", {}, "sha512-QkACju9MiN59CKSY5JsGZCYmPZkA6sIW6OFCUp7qDjZu6S6KHtJHhAc9Uy9mV9F8PJ1/HQ3ybZF2yjCa/73fvQ=="],

    "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
  }
--- a/playground/PKCEDowngrade/package.json
+++ b/playground/PKCEDowngrade/package.json
@ -0,0 +1,12 @@
+{
+  "name": "PKCEDowngrade",
+  "scripts": {
+    "dev": "bun run --hot src/index.ts"
+  },
+  "dependencies": {
+    "hono": "^4.7.10"
+  },
+  "devDependencies": {
+    "@types/bun": "latest"
+  }
+}
--- a/playground/PKCEDowngrade/src/index.ts
+++ b/playground/PKCEDowngrade/src/index.ts
@ -0,0 +1,94 @@
+import { Hono } from 'hono'
+import { randomBytes, createHash } from 'crypto'
+import { Buffer } from 'buffer'
+
+const app = new Hono()
+
+// In-memory PKCE store (should use Redis or similar in production)
+const pkceStore = new Map<string, string>()
+
+const generateCodeVerifier = () => {
+  return randomBytes(32).toString('hex')
+}
+
+const generateCodeChallenge = (verifier: string) => {
+  const hash = createHash('sha256').update(verifier).digest()
+  return hash.toString('base64url')
+}
+
+// Step 1: Redirect to GitHub with PKCE
+app.get('/login', (c) => {
+  const codeVerifier = generateCodeVerifier()
+  const codeChallenge = generateCodeChallenge(codeVerifier)
+  const state = randomBytes(8).toString('hex')
+
+  pkceStore.set(state, codeVerifier)
+
+  const params = new URLSearchParams({
+    client_id: process.env.GITHUB_CLIENT_ID!,
+    redirect_uri: 'http://localhost:8787/callback',
+    scope: 'read:user',
+    state,
+    response_type: 'code',
+    code_challenge: codeChallenge,
+    code_challenge_method: 'S256',
+  })
+
+  return c.redirect(`https://github.com/login/oauth/authorize?${params}`)
+})
+
+// Step 2: GitHub redirects back here
+app.get('/callback', async (c) => {
+  const url = new URL(c.req.url)
+  const code = url.searchParams.get('code')
+  const state = url.searchParams.get('state')
+
+  if (!code || !state) {
+    return c.text('Missing code or state', 400)
+  }
+
+  const codeVerifier = pkceStore.get(state)
+  if (!codeVerifier) {
+    return c.text('Invalid or expired state', 400)
+  }
+
+  // Step 3: Exchange code + verifier for token
+  const tokenRes = await fetch('https://github.com/login/oauth/access_token', {
+    method: 'POST',
+    headers: {
+      Accept: 'application/json',
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      client_id: process.env.GITHUB_CLIENT_ID,
+      client_secret: process.env.GITHUB_CLIENT_SECRET,
+      code,
+      redirect_uri: 'http://localhost:8787/callback',
+      code_verifier: codeVerifier,
+    }),
+  })
+
+  const tokenData = await tokenRes.json()
+  if (!tokenData.access_token) {
+    return c.text('Failed to get access token', 500)
+  }
+
+  // Step 4: Use token to fetch user profile
+  const userRes = await fetch('https://api.github.com/user', {
+    headers: {
+      Authorization: `Bearer ${tokenData.access_token}`,
+      'User-Agent': 'hono-app',
+    },
+  })
+
+  const user = await userRes.json()
+  return c.json({
+    message: 'GitHub login successful!',
+    user,
+  })
+})
+
+export default { 
+  port: 8787,
+  fetch: app.fetch,
+}
--- a/playground/PKCEDowngrade/tsconfig.json
+++ b/playground/PKCEDowngrade/tsconfig.json
@ -0,0 +1,7 @@
+{
+  "compilerOptions": {
+    "strict": true,
+    "jsx": "react-jsx",
+    "jsxImportSource": "hono/jsx"
+  }
+}
--- a/playground/README.md
+++ b/playground/README.md
@ -1,15 +0,0 @@
-# playground
-
-To install dependencies:
-
-```bash
-bun install
-```
-
-To run:
-
-```bash
-bun run 
-```
-
-This project was created using `bun init` in bun v1.2.14. [Bun](https://bun.sh) is a fast all-in-one JavaScript runtime.
--- a/playground/package.json
+++ b/playground/package.json
@ -1,10 +0,0 @@
-{
-  "name": "playground",
-  "private": true,
-  "devDependencies": {
-    "@types/bun": "latest"
-  },
-  "peerDependencies": {
-    "typescript": "^5"
-  }
-}
--- a/playground/src/PKCEDowngradeExpress.js
+++ b/playground/src/PKCEDowngradeExpress.js
@ -1,31 +0,0 @@
-const express = require("express");
-const app = express();
-
-app.get("/auth", (req, res) => {
-  const {
-    client_id,
-    response_type,
-    code_challenge,
-    code_challenge_method,
-    scope
-  } = req.query;
-
-  console.log("Incoming request:", req.query);
-
-  if (!client_id || response_type !== "code") {
-    return res.status(400).send("Missing required parameters");
-  }
-
-  // Simulate issuing an authorization code
-  const code = "dummy-auth-code";
-
-  // Simulate PKCE check (normally you'd validate here)
-  // We deliberately allow the downgrade here to simulate the vulnerability
-  const responseBody = `Authorization successful. code=${code}`;
-  return res.status(200).send(responseBody);
-});
-
-const PORT = 5050;
-app.listen(PORT, () => {
-  console.log(`Test PKCE server running on http://localhost:${PORT}`);
-});
--- a/playground/tsconfig.json
+++ b/playground/tsconfig.json
@ -1,29 +0,0 @@
-{
-  "compilerOptions": {
-    // Environment setup & latest features
-    "lib": ["ESNext"],
-    "target": "ESNext",
-    "module": "Preserve",
-    "moduleDetection": "force",
-    "jsx": "react-jsx",
-    "allowJs": true,
-
-    // Bundler mode
-    "moduleResolution": "bundler",
-    "allowImportingTsExtensions": true,
-    "verbatimModuleSyntax": true,
-    "noEmit": true,
-
-    // Best practices
-    "strict": true,
-    "skipLibCheck": true,
-    "noFallthroughCasesInSwitch": true,
-    "noUncheckedIndexedAccess": true,
-    "noImplicitOverride": true,
-
-    // Some stricter flags (disabled by default)
-    "noUnusedLocals": false,
-    "noUnusedParameters": false,
-    "noPropertyAccessFromIndexSignature": false
-  }
-}