Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuthAuthorizeParams does not include state #71

Open
jasonculverhouse opened this issue Sep 20, 2024 · 0 comments
Open

OAuthAuthorizeParams does not include state #71

jasonculverhouse opened this issue Sep 20, 2024 · 0 comments

Comments

@jasonculverhouse
Copy link

I think that this would resolve a lot of issues that people are having using various clients?

If a state parameter is included in the application login setup it also needs to be echoed back in the redirect.

I think this diff will include that state. I need to setup up a local dev environment so that I can regenerate some file.

for instance if state=ZZZ is passed in then it also need to be carried through to the redirectUriWithCode

 https://skybridge.fly.dev/oauth/authorize?response_type=code&client_id=XXX&redirect_uri=https://XXX&scope=read%20write&state=ZZZ

diff --git a/lib/models/oauth/oauth_authorize_params.dart b/lib/models/oauth/oauth_authorize_params.dart
index 22b2513..e670305 100644
--- a/lib/models/oauth/oauth_authorize_params.dart
+++ b/lib/models/oauth/oauth_authorize_params.dart
@@ -12,6 +12,7 @@ class OAuthAuthorizeParams {
     required this.responseType,
     required this.clientId,
     required this.redirectUri,
+    this.state,
     this.scope = 'read',
     this.forceLogin,
     this.lang,
@@ -39,6 +40,9 @@ class OAuthAuthorizeParams {
   @JsonKey(name: 'redirect_uri')
   final String redirectUri;
 
+  /// The state parameter to maintain state between the request and callback.
+  final String? state; // Optional state field
+
   /// List of requested OAuth scopes, separated by spaces.
   /// Must be a subset of scopes declared during app registration.
   /// If not provided, defaults to read.
diff --git a/routes/oauth/authorize.dart b/routes/oauth/authorize.dart
index ced3da1..07a9cd1 100644
--- a/routes/oauth/authorize.dart
+++ b/routes/oauth/authorize.dart
@@ -117,10 +117,14 @@ Future<Response> _post(RequestContext context) async {
 
   final signedCode = packObject(code.toJson());
   final redirectUri = Uri.parse(auth.redirectUri);
+
+  final Map<String, String> queryParams = {'code': signedCode};
+  if (auth.state != null) {
+    queryParams['state'] = auth.state!;
+  }
+
   final redirectUriWithCode = redirectUri.replace(
-    queryParameters: {
-      'code': signedCode,
-    },
+    queryParameters: queryParams,
   );
 
   return Response(
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jasonculverhouse