fix decodeBase64url (#488)

* fix decodeBase64url * update pnpm version * add changeset
supabase · Apr 6, 2023 · 185e9cf · 185e9cf
1 parent 71718d6
commit 185e9cf
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 6 deletions.
diff --git a/.changeset/lemon-tigers-protect.md b/.changeset/lemon-tigers-protect.md
@@ -0,0 +1,5 @@
+---
+'@supabase/auth-helpers-shared': patch
+---
+
+fix decodeBase64url
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -21,7 +21,7 @@ jobs:
 
       - uses: pnpm/[email protected]
         with:
-          version: 7.13.4
+          version: 8.1.0
 
       - name: Set up Node
         uses: actions/setup-node@v1

diff --git a/packages/shared/src/utils/cookies.ts b/packages/shared/src/utils/cookies.ts
@@ -45,8 +45,22 @@ export function isSecureEnvironment(headerHost?: string | string[]) {
   return true;
 }
 
-export function decodeBase64URL(value: string): string {
-  const key = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
+function decodeBase64URL_atob(value: string) {
+  return decodeURIComponent(
+    atob(value.replace(/[-]/g, '+').replace(/[_]/g, '/'))
+      .split('')
+      .map((c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2))
+      .join('')
+  );
+}
+
+function decodeBase64URL_buffer(value: string) {
+  return Buffer.from(value, 'base64').toString('utf-8');
+}
+
+function decodeBase64URL_custom(value: string) {
+  const key =
+    'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
   let base64 = '';
   let chr1, chr2, chr3;
   let enc1, enc2, enc3, enc4;
@@ -70,10 +84,34 @@ export function decodeBase64URL(value: string): string {
       base64 = base64 + String.fromCharCode(chr3);
     }
   }
-
   return base64;
 }
 
+export function decodeBase64URL(value: string): string {
+  try {
+    // atob is present in all browsers and nodejs >= 16
+    // but if it is not it will throw a ReferenceError in which case we can try to use Buffer
+    // replace are here to convert the Base64-URL into Base64 which is what atob supports
+    // replace with //g regex acts like replaceAll
+    // Decoding base64 to UTF8 see https://stackoverflow.com/a/30106551/17622044
+    return decodeBase64URL_atob(value);
+  } catch (e) {
+    if (e instanceof ReferenceError) {
+      // running on nodejs < 16
+      // Buffer supports Base64-URL transparently
+      try {
+        return decodeBase64URL_buffer(value);
+      } catch (e) {
+        if (e instanceof ReferenceError) {
+          return decodeBase64URL_custom(value);
+        }
+        throw e;
+      }
+    }
+    throw e;
+  }
+}
+
 export function parseSupabaseCookie(
   str: string | null | undefined
 ): Partial<Session> | null {
@@ -110,7 +148,7 @@ export function parseSupabaseCookie(
       user: {
         id: sub,
         factors: session[4],
-        ...user,
+        ...user
       }
     };
   } catch (err) {
@@ -125,6 +163,6 @@ export function stringifySupabaseSession(session: Session): string {
     session.refresh_token,
     session.provider_token,
     session.provider_refresh_token,
-    session.user.factors,
+    session.user.factors
   ]);
 }