refactor(core): randomize code verifier length for PKCE flow

[halvaradop]

Description

This pull request introduces randomization of the PKCE code verifier length using the createPKCE function. With this change, the code_verifier length varies on each request, using a randomized length between 42 and 128 characters, as defined by the PKCE RFC specification.

This improves security by avoiding predictable verifier lengths while remaining fully compliant with the PKCE standard.

Resources

• PKCE – Client Creates a Code Verifier

Summary by CodeRabbit

• Bug Fixes
  • Updated PKCE verifier handling: when no verifier is supplied, the system now generates verifier bytes with a variable secure length rather than a fixed size. Added validation that enforces acceptable verifier length ranges and surfaces an error if values fall outside those bounds. Verifier-to-challenge flow remains unchanged.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
auth-nextjs-demo	Ready	Preview, Comment	Feb 5, 2026 5:53pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
auth	Skipped		Feb 5, 2026 5:53pm

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

When createPKCE is called without a verifier, a random byte length between 32–96 is chosen to generate the code verifier (which maps to a 43–128 char base64url string). The verifier is validated to be 43–128 characters; an AuthSecurityError is thrown if invalid.

Changes

Cohort / File(s)	Summary
PKCE Verifier Generation & Validation packages/core/src/secure.ts	When no verifier is provided, pick a random byte length (32–96) and generate the code verifier via generateSecure(byteLength). Add validation ensuring verifier length is within 43–128 characters; throw AuthSecurityError if outside range. Comment added about base64url length mapping.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• aura-stack-ts/auth#86: Implements similar changes to createPKCE—randomized code_verifier byte length and length validation in packages/core/src/secure.ts.

Poem

🐰🍃
I hopped through bytes from thirty-two to ninety-six,
spun verifiers into safe base64 tricks,
counted each whisker to forty-three through one-twenty-eight,
and tucked errors where lengths don't behave straight.
Secure hops, secure stops—✨🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: randomizing code verifier length in the PKCE flow implementation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch refactor/add-random-pkce-length

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@packages/core/src/secure.ts`:
- Around line 25-29: The code uses generateSecure(byteCount) but validates
characters, causing oversized verifiers; change the random byte length selection
so it produces 43–128 base64url characters by selecting 32–96 bytes (since
ceil(bytes*4/3) yields 43–128 chars). Concretely, replace the current length
calculation (Math.random() * (128 - 43 + 1) + 43) with a random byte count
between 32 and 96 and call generateSecure(byteCount) to produce codeVerifier,
keeping the existing codeVerifier length check and AuthSecurityError unchanged;
reference generateSecure, length, codeVerifier, and AuthSecurityError when
making the change.