Use base64.urlsafe_b64encode() instead of manual specification of chars

mhagander · mhagander · commit e48157dac3fb · 2025-06-11T20:26:21.000+02:00
This makes for better readability, and is exactly the same
functionality...

Pointed out by Jacob Champion
diff --git a/pgweb/account/views.py b/pgweb/account/views.py
@@ -729,9 +729,9 @@ def communityauth(request, siteid):
         encryptor = AES.new(base64.b64decode(site.cryptkey), AES.MODE_SIV, nonce=nonce)
         cipher, tag = encryptor.encrypt_and_digest(s.encode('ascii'))
         redirparams = {
-            'd': base64.b64encode(cipher, b"-_").decode('ascii'),
-            'n': base64.b64encode(nonce, b"-_").decode('ascii'),
-            't': base64.b64encode(tag, b"-_").decode('ascii'),
+            'd': base64.urlsafe_b64encode(cipher),
+            'n': base64.urlsafe_b64encode(nonce),
+            't': base64.urlsafe_b64encode(tag),
         }
     else:
         # v2 = plain AES
@@ -741,8 +741,8 @@ def communityauth(request, siteid):
         encryptor = AES.new(base64.b64decode(site.cryptkey), AES.MODE_CBC, iv)
         cipher = encryptor.encrypt(s.encode('ascii') + b' ' * (16 - (len(s) % 16)))  # Pad to even 16 bytes
         redirparams = {
-            'i': base64.b64encode(iv, b"-_").decode('ascii'),
-            'd': base64.b64encode(cipher, b"-_").decode('ascii'),
+            'i': base64.urlsafe_b64encode(iv),
+            'd': base64.urlsafe_b64encode(cipher),
         }
 
     # Generate redirect
@@ -794,9 +794,9 @@ def _encrypt_site_response(site, s, version):
         cipher, tag = encryptor.encrypt_and_digest(s.encode('ascii'))
 
         return "&".join((
-            base64.b64encode(nonce, b'-_').decode('ascii'),
-            base64.b64encode(cipher, b'-_').decode('ascii'),
-            base64.b64encode(tag, b'-_').decode('ascii'),
+            base64.urlsafe_b64encode(nonce).decode('ascii'),
+            base64.urlsafe_b64encode(cipher).decode('ascii'),
+            base64.urlsafe_b64encode(tag).decode('ascii'),
         ))
     else:
         # Encrypt it with the shared key (and IVs)
@@ -806,8 +806,8 @@ def _encrypt_site_response(site, s, version):
         cipher = encryptor.encrypt(s.encode('ascii') + b' ' * (16 - (len(s) % 16)))  # Pad to even 16 bytes
 
         return "&".join((
-            base64.b64encode(iv, b'-_').decode('ascii'),
-            base64.b64encode(cipher, b'-_').decode('ascii'),
+            base64.urlsafe_b64encode(iv).decode('ascii'),
+            base64.urlsafe_b64encode(cipher).decode('ascii'),
         ))
 
 
diff --git a/tools/communityauth/sample/django/auth.py b/tools/communityauth/sample/django/auth.py
@@ -83,9 +83,9 @@ def login(request):
 
         return HttpResponseRedirect("%s?%s" % (settings.PGAUTH_REDIRECT, urlencode({
             'd': '$'.join((
-                base64.b64encode(nonce, b"-_").decode('utf8'),
-                base64.b64encode(cipher, b"-_").decode('utf8'),
-                base64.b64encode(tag, b"-_").decode('utf8'),
+                base64.urlsafe_b64encode(nonce).decode('utf8'),
+                base64.urlsafe_b64encode(cipher).decode('utf8'),
+                base64.urlsafe_b64encode(tag).decode('utf8'),
             )),
         })))
     else:
@@ -119,11 +119,11 @@ def auth_receive(request):
         decryptor = AES.new(
             base64.b64decode(settings.PGAUTH_KEY),
             AES.MODE_SIV,
-            nonce=base64.b64decode(str(request.GET['n']), "-_"),
+            nonce=base64.urlsafe_b64decode(str(request.GET['n'])),
         )
         s = decryptor.decrypt_and_verify(
-            base64.b64decode(str(request.GET['d']), "-_"),
-            base64.b64decode(str(request.GET['t']), "-_"),
+            base64.urlsafe_b64decode(str(request.GET['d'])),
+            base64.urlsafe_b64decode(str(request.GET['t'])),
         ).rstrip(b' ').decode('utf8')
     except UnicodeDecodeError:
         return HttpResponse("Badly encoded data found", 400)
@@ -215,11 +215,11 @@ def auth_receive(request):
         decryptor = AES.new(
             SHA256.new(settings.SECRET_KEY.encode('ascii')).digest()[:32],
             AES.MODE_SIV,
-            nonce=base64.b64decode(nonces, b"-_"),
+            nonce=base64.urlsafe_b64decode(nonces),
         )
         s = decryptor.decrypt_and_verify(
-            base64.b64decode(datas, "-_"),
-            base64.b64decode(tags, "-_"),
+            base64.urlsafe_b64decode(datas),
+            base64.urlsafe_b64decode(tags),
         ).rstrip(b' ').decode('utf8')
         try:
             rdata = parse_qs(s, strict_parsing=True)
@@ -331,11 +331,11 @@ def user_search(searchterm=None, userid=None):
     decryptor = AES.new(
         base64.b64decode(settings.PGAUTH_KEY),
         AES.MODE_SIV,
-        nonce=base64.b64decode(nonces, "-_")
+        nonce=base64.urlsafe_b64decode(nonces)
     )
     s = decryptor.decrypt_and_verify(
-        base64.b64decode(datas, "-_"),
-        base64.b64decode(tags, "-_"),
+        base64.urlsafe_b64decode(datas),
+        base64.urlsafe_b64decode(tags),
     ).rstrip(b' ').decode('utf8')
 
     j = json.loads(s)
diff --git a/tools/communityauth/test_auth.py b/tools/communityauth/test_auth.py
@@ -63,9 +63,9 @@
     cipher, tag = encryptor.encrypt_and_digest(s.encode('ascii'))
 
     redirparams = {
-        'd': base64.b64encode(cipher, b"-_").decode('ascii'),
-        'n': base64.b64encode(nonce, b"-_").decode('ascii'),
-        't': base64.b64encode(tag, b"-_").decode('ascii'),
+        'd': base64.urlsafe_b64encode(cipher).decode('ascii'),
+        'n': base64.urlsafe_b64encode(nonce).decode('ascii'),
+        't': base64.urlsafe_b64encode(tag).decode('ascii'),
     }
 
     print("Paste the following after the receiving url:")
