From 910835c6571409af6cb3e0b8ff3a496a71d2bd81 Mon Sep 17 00:00:00 2001
From: sov2000 <stasovcharenko@gmail.com>
Date: Tue, 10 Dec 2024 09:57:27 -0500
Subject: [PATCH] Resolving issues #22, #15

---
 README.md                       | 2 +-
 etsyv3/util/auth/auth_helper.py | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index ee633dc..2f64712 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ Python 3 client for the [Etsy Open API v3](https://developer.etsy.com/documentat
 
 The authorisation flow in v3 of Etsy's API is somewhat different to the flow used in v2. It is the [OAuth 2.0 Authorization Code Grant](https://www.rfc-editor.org/rfc/rfc6749#section-4.1) flow, [documented quite well by Etsy themselves](https://developer.etsy.com/documentation/essentials/authentication/). Make sure you've done the setup at `Requesting an OAuth Token`, in terms of getting your Etsy API keystring and callback URLs set up.
 
-In the `etsyv3.utils.util.auth` package, the `auth_helper.py` module contains a helper class (`AuthHelper`) for the authentication flow. Provided with the keystring, one of the redirect URLs that you've specific in your Etsy app setup, a list of scopes to be provided in this authentication (a list of strings at present, but likely to become a set of `enums` in future), a code verifier string (specified by you) and a state string (also specified by you), it will allow for some simplification of the process.
+In the `etsyv3.util.auth` package, the `auth_helper.py` module contains a helper class (`AuthHelper`) for the authentication flow. Provided with the keystring, one of the redirect URLs that you've specific in your Etsy app setup, a list of scopes to be provided in this authentication (a list of strings at present, but likely to become a set of `enums` in future), a code verifier string (specified by you) and a state string (also specified by you), it will allow for some simplification of the process.
 
 With your initialised `AuthHelper`, the flow looks something like this:
 
diff --git a/etsyv3/util/auth/auth_helper.py b/etsyv3/util/auth/auth_helper.py
index 84c9c45..2e28098 100644
--- a/etsyv3/util/auth/auth_helper.py
+++ b/etsyv3/util/auth/auth_helper.py
@@ -3,6 +3,7 @@
 import secrets
 from typing import List, Optional, Tuple
 
+from etsy_api import BadRequest
 from requests_oauthlib import OAuth2Session  # type: ignore[import]
 
 
@@ -43,7 +44,8 @@ def set_authorisation_code(self, code: str, state: str) -> None:
         if state == self.state:
             self.auth_code = code
         else:
-            raise
+            # per etsy followed RFC 6749 bad state should raise invalid request, https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+            raise BadRequest('{"error": "invalid_request", "error_description": "State mismatch"}')
 
     def get_access_token(self) -> Optional[str]:
         headers = {