From e3bd13f6d7f548ccbe0498a60a996c1ee6bbbafa Mon Sep 17 00:00:00 2001 From: Adam Raya Navarro Date: Mon, 29 Apr 2024 16:52:20 -0600 Subject: [PATCH 1/4] Add entropy to nanoid createCodeVerifier --- package.json | 6 ++++-- src/static/helpers/slasHelper.ts | 13 ++++++++++--- yarn.lock | 10 ++++++++++ 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 710376b..cfd793e 100644 --- a/package.json +++ b/package.json @@ -97,7 +97,8 @@ }, "dependencies": { "nanoid": "^3.3.4", - "node-fetch": "2.6.12" + "node-fetch": "2.6.12", + "seedrandom": "^3.0.5" }, "devDependencies": { "@babel/cli": "7.18.6", @@ -117,6 +118,7 @@ "@types/handlebars-helpers": "^0.5.3", "@types/node-fetch": "^2.6.2", "@types/react-dom": "^16.9.16", + "@types/seedrandom": "^3.0.8", "@typescript-eslint/eslint-plugin": "^4.33.0", "@typescript-eslint/parser": "^4.33.0", "autoprefixer": "9.8.8", @@ -179,7 +181,7 @@ }, { "path": "commerce-sdk-isomorphic-with-deps.tgz", - "maxSize": "350 kB" + "maxSize": "400 kB" } ], "proxy": "https://SHORTCODE.api.commercecloud.salesforce.com" diff --git a/src/static/helpers/slasHelper.ts b/src/static/helpers/slasHelper.ts index 3b78924..5255e89 100644 --- a/src/static/helpers/slasHelper.ts +++ b/src/static/helpers/slasHelper.ts @@ -5,8 +5,8 @@ * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause */ -import {nanoid} from 'nanoid'; - +import {customRandom, urlAlphabet} from 'nanoid'; +import seedrandom, {PRNG} from 'seedrandom'; import {isBrowser} from './environment'; import { @@ -39,11 +39,18 @@ export const getCodeAndUsidFromUrl = ( }; }; +const nanoid = (): string => { + const rng: PRNG = seedrandom(String(+new Date()), {entropy: true}); + return customRandom(urlAlphabet, 128, size => + new Uint8Array(size).map(() => 256 * rng()) + )(); +}; + /** * Creates a random string to use as a code verifier. This code is created by the client and sent with both the authorization request (as a code challenge) and the token request. * @returns code verifier */ -export const createCodeVerifier = (): string => nanoid(128); +export const createCodeVerifier = (): string => nanoid(); /** * Encodes a code verifier to a code challenge to send to the authorization endpoint diff --git a/yarn.lock b/yarn.lock index 675387c..e6b44a5 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3651,6 +3651,11 @@ resolved "https://registry.yarnpkg.com/@types/scheduler/-/scheduler-0.16.2.tgz#1a62f89525723dde24ba1b01b092bf5df8ad4d39" integrity sha512-hppQEBDmlwhFAXKJX2KnWLYu5yMfi91yazPb2l+lbJiwW+wdo1gNeRA+3RgNSO39WYX2euey41KEwnqesU2Jew== +"@types/seedrandom@^3.0.8": + version "3.0.8" + resolved "https://registry.yarnpkg.com/@types/seedrandom/-/seedrandom-3.0.8.tgz#61cc8ed88f93a3c31289c295e6df8ca40be42bdf" + integrity sha512-TY1eezMU2zH2ozQoAFAQFOPpvP15g+ZgSfTZt31AUUH/Rxtnz3H+A/Sv1Snw2/amp//omibc+AEkTaA8KUeOLQ== + "@types/semver@^7.3.4", "@types/semver@^7.3.9": version "7.3.10" resolved "https://registry.yarnpkg.com/@types/semver/-/semver-7.3.10.tgz#5f19ee40cbeff87d916eedc8c2bfe2305d957f73" @@ -14790,6 +14795,11 @@ scss-parser@^1.0.4: dependencies: invariant "2.2.4" +seedrandom@^3.0.5: + version "3.0.5" + resolved "https://registry.yarnpkg.com/seedrandom/-/seedrandom-3.0.5.tgz#54edc85c95222525b0c7a6f6b3543d8e0b3aa0a7" + integrity sha512-8OwmbklUNzwezjGInmZ+2clQmExQPvomqjL7LFqOYqtmuxRgQYqOD3mHaU+MvZn5FLUeVxVfQjwLZW/n/JFuqg== + select-hose@^2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/select-hose/-/select-hose-2.0.0.tgz#625d8658f865af43ec962bfc376a37359a4994ca" From a4d0bd09c9fec414a54d2febe8f68035c1a33175 Mon Sep 17 00:00:00 2001 From: Adam Raya Navarro Date: Mon, 29 Apr 2024 16:59:43 -0600 Subject: [PATCH 2/4] bump file size --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index cfd793e..bd094ed 100644 --- a/package.json +++ b/package.json @@ -177,7 +177,7 @@ "bundlesize": [ { "path": "lib/**/*.js", - "maxSize": "45 kB" + "maxSize": "46 kB" }, { "path": "commerce-sdk-isomorphic-with-deps.tgz", From 654320ce74bab7dac7e2b8ce513f2bf49cb3f80d Mon Sep 17 00:00:00 2001 From: Adam Raya Navarro Date: Thu, 2 May 2024 14:20:29 -0600 Subject: [PATCH 3/4] Add docs --- src/static/helpers/slasHelper.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/static/helpers/slasHelper.ts b/src/static/helpers/slasHelper.ts index 5255e89..d011fc0 100644 --- a/src/static/helpers/slasHelper.ts +++ b/src/static/helpers/slasHelper.ts @@ -39,6 +39,10 @@ export const getCodeAndUsidFromUrl = ( }; }; +/** + * Adds entropy to nanoid() using seedrandom to ensure that the code_challenge sent to SCAPI by Google's crawler browser is unique. + * Solves the issue with Google's crawler getting the same result from nanoid() in two different runs, which results in the same PKCE code_challenge being used twice. + */ const nanoid = (): string => { const rng: PRNG = seedrandom(String(+new Date()), {entropy: true}); return customRandom(urlAlphabet, 128, size => From b0b052d060b05e489f87f5caa7321111c119c5e2 Mon Sep 17 00:00:00 2001 From: Adam Raya Navarro Date: Thu, 2 May 2024 14:32:18 -0600 Subject: [PATCH 4/4] Update CHANGELOG.md --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5fa234d..c588f6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ - Add helper function `callCustomEndpoint` to call [Custom APIs](https://developer.salesforce.com/docs/commerce/commerce-api/guide/custom-apis.html) - [#149](https://github.com/SalesforceCommerceCloud/commerce-sdk-isomorphic/pull/149) +#### Bug fixes + +- Fixed createCodeVerifier adding entropy to be successfully indexed by Google Search Console [#150](https://github.com/SalesforceCommerceCloud/commerce-sdk-isomorphic/pull/150) + ## v1.13.1 #### Bug fixes