thetutlage
commented
2 years ago I am not sure how does it code fixes this issue https://github.com/adonisjs/ally/issues/133
Closed eyglys closed 2 years ago
thetutlage
commented
2 years ago I am not sure how does it code fixes this issue https://github.com/adonisjs/ally/issues/133
eyglys
commented
2 years ago The second parameter of encryptedCookie is the default value when the cookie does not exist. This behavior can be used to identify that the cookie does not exist and avoid unnecessary cleaning (set-cookie). I'm not sure if it solves the problem of an expired OAuthSecret, where it will be necessary to overwrite the previous OAuthSecret with the new Secret, in this situation I believe that the clearCookie should not be executed.
stale[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Proposed changes
Avoid executing clearCookie on AbstractDrivers/Oauth2.loadState method (also on Oauth1) when the cookie does not exist. This bugfix resolves issue #133.
Types of changes
Checklist
Put an
xin the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.Further comments
The use of ally and web sessions (via cookie) sent two set-cookies to the browser. One such set-cookie was a clear (performed by clearCookie). The result of this was the loss of state between the Adonis application and the authentication service.
The bug is described in issue #133 .
The clearCookie should only be run when there is a state cookie (otherwise it will send a set-cookie).