search

sergiodxa / remix-auth-oauth2

A OAuth2Strategy for Remix Auth
https://sergiodxa.github.io/remix-auth-oauth2/
MIT License
150 stars 56 forks source link

Error: Missing state on session #81

Closed danthegoodman1 closed 7 months ago

danthegoodman1 commented 7 months ago

Has been working fine with hugging face for about a week until today, when on login I started getting errors like: Missing state on session in the authenticator.authenticate() call.

My config looks like:

new OAuth2Strategy(
    {
      authorizationURL: "https://huggingface.co/oauth/authorize",
      tokenURL: "https://huggingface.co/oauth/token",
      clientID: process.env.HF_CLIENT_ID!,
      clientSecret: process.env.HF_CLIENT_SECRET!,
      useBasicAuthenticationHeader: true,
      callbackURL: "http://localhost:8080/auth/callback",
      scope: "openid profile email read-repos manage-repos",
    },

and:

export async function loader(args: LoaderFunctionArgs) {
  const searchParams = new URL(args.request.url).searchParams
  const redirectTo = searchParams.get("redirectTo")

  try {
    return await authenticator.authenticate(
      huggingfaceAuthenticator,
      args.request,
      {
        successRedirect: "/dashboard",
        throwOnError: true,
      }
    )
  } catch (error) {
    if (error instanceof Response) {
      // Let's inject the cookie to set
      if (redirectTo) {
        error.headers.set(
          "set-cookie",
          await signinRedirectCookie.serialize(redirectTo)
        )
      }
      return error
    }

    return redirect(
      "/signin?failed=" + encodeURIComponent((error as Error).message)
    )
  }
}
export const signinRedirectCookie = createCookie("signin-redirect", {
  sameSite: "lax",
  path: "/",
  httpOnly: true,
  secrets: [process.env.COOKIE_SECRET!],
  secure: false, // process.env.NODE_ENV === "production", // enable this in prod only
})

Nothing has changed in my code, but it seems I am unable to manually provide a state? Not sure what they changed, but it seems I am unable to accommodate for it with existing configuration options?

It also causes the browser to loop:

[14:41:28.583] DEBUG (7831): loaded URL
    URL: "http://localhost:8080/signin?failed=Missing%20state%20on%20session."
[14:41:28.876] DEBUG (7831): loaded URL
    URL: "http://localhost:8080/signin?failed=Failed%20to%20connect"
[14:41:29.144] DEBUG (7831): loaded URL
    URL: "http://localhost:8080/signin?failed=Failed%20to%20connect"
[14:41:29.263] DEBUG (7831): loaded URL
    URL: "http://localhost:8080/signin?failed=Failed%20to%20connect"
[14:41:29.384] DEBUG (7831): loaded URL
    URL: "http://localhost:8080/signin?failed=Failed%20to%20connect"
[14:41:29.509] DEBUG (7831): loaded URL
    URL: "http://localhost:8080/signin?failed=Failed%20to%20connect"
[14:41:30.754] DEBUG (7831): loaded URL
    URL: "http://localhost:8080/signin?failed=Failed%20to%20connect"
[14:41:30.862] DEBUG (7831): loaded URL
    URL: "http://localhost:8080/signin?failed=Failed%20to%20connect"
[14:41:30.967] DEBUG (7831): loaded URL
    URL: "http://localhost:8080/signin?failed=Failed%20to%20connect"
[14:41:31.083] DEBUG (7831): loaded URL
    URL: "http://localhost:8080/signin?failed=Failed%20to%20connect"
[14:41:31.191] DEBUG (7831): loaded URL
    URL: "http://localhost:8080/signin?failed=Failed%20to%20connect"
[14:41:31.412] DEBUG (7831): loaded URL
    URL: "http://localhost:8080/signin?failed=Failed%20to%20connect"

Edit: Seems to be related to this chunk of code: https://github.com/sergiodxa/remix-auth-oauth2/blob/main/src/index.ts#L190-L200

Debug looks like:

2024-01-11T19:59:40.647Z OAuth2Strategy Request URL http://localhost:8080/signin?redirectTo=%2Fdashboard
2024-01-11T19:59:40.647Z OAuth2Strategy Callback URL URL {}
2024-01-11T19:59:40.649Z OAuth2Strategy Redirecting to callback URL
2024-01-11T19:59:40.649Z OAuth2Strategy State 4ffd6f02-c2dc-4465-9e7e-ddbc87350bd7
2024-01-11T19:59:42.095Z OAuth2Strategy Request URL http://localhost:8080/auth/callback?code=bvDHoCWdtrGmCfeL&state=4ffd6f02-c2dc-4465-9e7e-ddbc87350bd7
2024-01-11T19:59:42.095Z OAuth2Strategy Callback URL URL {}
2024-01-11T19:59:42.095Z OAuth2Strategy State from URL 4ffd6f02-c2dc-4465-9e7e-ddbc87350bd7
2024-01-11T19:59:42.095Z OAuth2Strategy State from session undefined
2024-01-11T19:59:42.099Z OAuth2Strategy Request URL http://localhost:8080/signin?failed=Missing%20state%20on%20session.
2024-01-11T19:59:42.099Z OAuth2Strategy Callback URL URL {}
2024-01-11T19:59:42.099Z OAuth2Strategy Redirecting to callback URL
2024-01-11T19:59:42.099Z OAuth2Strategy State 761d5749-c61f-415e-b979-c1edc325cbed
2024-01-11T19:59:42.160Z OAuth2Strategy Request URL http://localhost:8080/auth/callback?code=zPEEeDzlgIuPLLWY&state=761d5749-c61f-415e-b979-c1edc325cbed
2024-01-11T19:59:42.161Z OAuth2Strategy Callback URL URL {}
2024-01-11T19:59:42.161Z OAuth2Strategy State from URL 761d5749-c61f-415e-b979-c1edc325cbed
2024-01-11T19:59:42.161Z OAuth2Strategy State from session 761d5749-c61f-415e-b979-c1edc325cbed
2024-01-11T19:59:42.161Z OAuth2Strategy State is valid
2024-01-11T19:59:42.372Z OAuth2Strategy Failed to verify user ECONNREFUSED: Failed to connect
    at <anonymous> (/Users/dangoodman/code/sellmyai/node_modules/pg-pool/index.js:47:11)
    at promiseReactionJob (native)
    at processTicksAndRejections (native) {
  code: 'ECONNREFUSED',
  syscall: 'connect',
  errno: 0,
  stack: 'Error: Failed to connect\n' +
    '    at <anonymous> (/Users/dangoodman/code/sellmyai/node_modules/pg-pool/index.js:47:11)\n' +
    '    at promiseReactionJob (native)\n' +
    '    at processTicksAndRejections (native)'
}
danthegoodman1 commented 7 months ago

Failed to verify user ECONNREFUSED: Failed to connect this line gave it away, the DB wasn't running on my local machine. I wished that error was passed through maybe?