fix(pkce): use rejection sampling to remove modulo bias

The naive `byte % CHARSET.length` loop over-represents the first 58
characters of the 66-entry PKCE charset by ~33% because 256 is not a
multiple of 66. Switch to rejection sampling so every character is
equally likely.

Flagged by CodeQL (js/biased-cryptographic-random).

Author: wyattjoh

.changeset/pkce-unbiased-random.md

@@ -0,0 +1,5 @@
+---
+"clerk": patch
+---
+
+Fix biased character distribution in PKCE code verifier generation. Replaces `byte % CHARSET.length` with rejection sampling so every character in the 66-entry charset is equally likely, restoring full entropy.

packages/cli-core/src/lib/pkce.test.ts

@@ -18,6 +18,27 @@ describe("PKCE", () => {
     expect(a).not.toBe(b);
   });
 
+  test("generateCodeVerifier produces an unbiased distribution", () => {
+    // With 66 charset entries and 256-byte modulo, a naive `byte % 66`
+    // over-represents the first 58 characters by ~33%. Rejection sampling
+    // should keep per-character counts within ~10% of uniform over a
+    // large sample.
+    const CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+    const counts = new Map<string, number>(CHARSET.split("").map((c) => [c, 0]));
+    const iterations = 2000;
+    for (let i = 0; i < iterations; i++) {
+      for (const ch of generateCodeVerifier()) {
+        counts.set(ch, (counts.get(ch) ?? 0) + 1);
+      }
+    }
+    const total = iterations * 43;
+    const expected = total / CHARSET.length;
+    const tolerance = expected * 0.1;
+    for (const [, count] of counts) {
+      expect(Math.abs(count - expected)).toBeLessThan(tolerance);
+    }
+  });
+
   test("generateCodeChallenge produces valid base64url S256 hash", async () => {
     const verifier = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk";
     const challenge = await generateCodeChallenge(verifier);

packages/cli-core/src/lib/pkce.ts

@@ -5,14 +5,21 @@
 
 const VERIFIER_LENGTH = 43;
 const CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+// Largest multiple of CHARSET.length that fits in a byte. Values >= this
+// would map non-uniformly via modulo, so reject them (rejection sampling).
+const REJECTION_THRESHOLD = 256 - (256 % CHARSET.length);
 
 export function generateCodeVerifier(): string {
-  const bytes = crypto.getRandomValues(new Uint8Array(VERIFIER_LENGTH));
-  let verifier = "";
-  for (const byte of bytes) {
-    verifier += CHARSET[byte % CHARSET.length];
+  const verifier: string[] = [];
+  while (verifier.length < VERIFIER_LENGTH) {
+    const bytes = crypto.getRandomValues(new Uint8Array(VERIFIER_LENGTH));
+    for (const byte of bytes) {
+      if (byte >= REJECTION_THRESHOLD) continue;
+      verifier.push(CHARSET.charAt(byte % CHARSET.length));
+      if (verifier.length === VERIFIER_LENGTH) break;
+    }
   }
-  return verifier;
+  return verifier.join("");
 }
 
 export async function generateCodeChallenge(verifier: string): Promise<string> {