Validate state before everything else

cmd-johnson / deno-oauth2-client

Minimalistic OAuth 2.0 client for Deno.

MIT License

45 stars 9 forks source link

Validate state before everything else #24

Closed martpet closed 1 year ago

martpet commented 1 year ago

Is it a good idea to validate the state before checking the url search params?

cmd-johnson commented 1 year ago

Hi there! What do you think would be the benefits of validating the state before everything else?

The way I originally approached this was to first perform the "cheaper" tests like string comparisons first and only call the async stateValidator function when all those cheap tests pass because the state validator might make relatively resource heavy database requests (when compared to simple string comparisons).

martpet commented 1 year ago

I was thinking about validating the state before checking the error param, because the param can be altered. Not that it poses a security risk. Anyway, it's resource heavy. Thank you for reviewing.