search

badgateway / oauth2-client

OAuth2 client for Node and browsers
https://www.npmjs.com/package/@badgateway/oauth2-client
MIT License
284 stars 34 forks source link

State query parameter is required in code flow #83

Closed arnath closed 1 year ago

arnath commented 1 year ago

The authorization code flow logic contains the lines below. These make it so that the state query parameter is required in the response, regardless of whether it was passed in the authorize call. I have a fix for this but can't seem to push a branch. 

if (!queryParams.has('code')) throw new Error(`The url did not contain a code parameter ${url}`);
if (!queryParams.has('state')) throw new Error(`The url did not contain state parameter ${url}`);

if (params.state && params.state !== queryParams.get('state')) {
  throw new Error(`The "state" parameter in the url did not match the expected value of ${params.state}`);
}
evert commented 1 year ago

Hi @arnath , if you want to contribute try hitting the fork button first

image

From there you can make a pull request back to this repo.