IOS - Base64URLSafe String replace error

[jawa-the-hutt]

For IOS, we have been getting intermittent failures to login. You may go 50 logins without an issue and then have a failure or it could be one every other, or several in a row before working again. It will pop the Safari browser to login, enter in your credentials, then Safari goes away and then nothing happens. Nothing is received back from Auth0 as there is no transmission of data at all.

In troubleshooting this out, what is happening is a false value is being returned here: https://github.com/sitefinitysteve/nativescript-auth0/blob/738de0684cb22e5c2463c78c1d58bc47cd9380e5/src/ios/authSession.ts#L57-L59

It's coming from a check done here: https://github.com/sitefinitysteve/nativescript-auth0/blob/738de0684cb22e5c2463c78c1d58bc47cd9380e5/src/ios/authSession.ts#L76-L78

In logging this line, when we were getting failures, there was an empty space in the string for one of the states, while the other one had a -. Moving further back in the code, the state value was coming in with a %20 where the space was at.

Basically the comparison of the state value was failing. In further tracing down why this was the case, I determined that the code here is the issue: https://github.com/sitefinitysteve/nativescript-auth0/blob/738de0684cb22e5c2463c78c1d58bc47cd9380e5/src/ios/utils.ts#L25-L28

What is going on is the replace function as written will only every replace the first value in the string it comes across. So, every so often, there will end up multiple + signs in the state string. The replace function is only replacing the first + sign and leaving all subsequent plus signs in place. Here are some examples of the before and after.

9kDoRw+gMt6Bd4e9uJ3dZcDIn2wB4kFAgQEP36/+7fA=
9kDoRw-gMt6Bd4e9uJ3dZcDIn2wB4kFAgQEP36_+7fA

ij5+mTIJ2HtnFz+xsOJ9Zh14miCHBtAkxtkXaCBpWpA=
ij5-mTIJ2HtnFz+xsOJ9Zh14miCHBtAkxtkXaCBpWpA

I2+o6RKY09SvQwLtNR++j+trqSMWrcQnOlUPc4D1EqM=
I2-o6RKY09SvQwLtNR++j+trqSMWrcQnOlUPc4D1EqM

3KA9/pFkVFWThNq/2TBspj9Z0q7n/rG8nyvb1CvfBWY=
3KA9_pFkVFWThNq/2TBspj9Z0q7n/rG8nyvb1CvfBWY

Incidentally, it is doing this for each of the three replace functions, but the only time the %20 and subsequent empty character happens and causes the failure is when there are multiple + signs.

The fix is the change the replace functions to this:

 return data.base64EncodedStringWithOptions(0)
    .replace(/\+/g, '-')
    .replace(/\//g, '_')
    .replace(/=/g, '');

I'll have a PR in the next few hours.

Which platform(s) does your issue occur on?

• iOS
• any
• both emulator and device

Please, tell us how to recreate the issue in as much detail as possible.

Describe the steps to reproduce it.

Is there any code involved?

• provide a code example to recreate the problem
• (EVEN BETTER) provide a .zip with application or refer to a repository with application where the problem is reproducible.