# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1682770011 -7200
# Node ID e3fc52b400644915a9b3cd6534431223f46f32c9
# Parent  6f13200c9fc18e0fda4a8b58914a4e8a0cd5d1bd
mod_rest/rest.sh: Implement RFC 7636 PKCE with the 'plain' method

The S256 code challenge method left as a future exercise.

diff -r 6f13200c9fc1 -r e3fc52b40064 mod_rest/example/rest.sh
--- a/mod_rest/example/rest.sh	Sat Apr 29 13:26:33 2023 +0200
+++ b/mod_rest/example/rest.sh	Sat Apr 29 14:06:51 2023 +0200
@@ -88,10 +88,11 @@
 	fi
 
 	if [ -z "${ACCESS_TOKEN:-}" ]; then
-		open "$AUTHORIZATION_ENDPOINT?response_type=code&client_id=$CLIENT_ID&scope=openid+prosody:user"
+		CODE_CHALLENGE="$(head -c 33 /dev/urandom | base64 | tr /+ _-)"
+		open "$AUTHORIZATION_ENDPOINT?response_type=code&client_id=$CLIENT_ID&code_challenge=$CODE_CHALLENGE&scope=openid+prosody:user"
 		read -p "Paste authorization code: " -s -r AUTHORIZATION_CODE
 
-		TOKEN_RESPONSE="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=authorization_code' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "code=$AUTHORIZATION_CODE")"
+		TOKEN_RESPONSE="$(http --check-status --form "$TOKEN_ENDPOINT" 'grant_type=authorization_code' "client_id=$CLIENT_ID" "client_secret=$CLIENT_SECRET" "code=$AUTHORIZATION_CODE" code_verifier="$CODE_CHALLENGE")"
 		ACCESS_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -e -r '.access_token')"
 		REFRESH_TOKEN="$(echo "$TOKEN_RESPONSE" | jq -r '.refresh_token')"