fastify/fastify-oauth2

generateStateFunction not called anymore when using custom start redirect handler

Closed this issue · 1 comments

dmidz commented

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the regression has not already been reported

Last working version

7.1.1

Stopped working in version

7.2.0

Node.js version

16.x

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

Debian 10.9

💥 Regression Report

generateStateFunction not called anymore when using custom start redirect handler.
It seems the call has been moved from generateAuthorizationUri ( used in custom handler ) to startRedirectHandler.
So indeed state could not be generated & then compared.

Steps to Reproduce

OAuth options

...
		generateStateFunction: ( request ) => {//__ this one is not called anymore
			const state = {
				code: crypto.randomBytes( 10 ).toString( 'hex' ),
				redirect: request.query.redirect,
			};
			logger.debug( { state }, 'generateStateFunction' );
			stateParameters.set( state.code, state );
			return state.code;
		},
		checkStateFunction: ( request, callback ) => {//__ so request.query.state = "undefined"
			logger.debug({ queryState: request.query }, 'checkStateFunction');
			const state = stateParameters.get( request.query.state );
			if( !state ){
				callback( new Error( 'InvalidState' ) );
			}
			callback();
		}
...

Custom start redirect handle

	fastify.route( {
		url: options.pathPrefix,
		method: 'GET',
		config: { public: true },
		handler: async ( request, reply ) => {
			try {
				const authorizationEndpoint = fastify.googleOAuth2.generateAuthorizationUri( request );
				reply.redirect( authorizationEndpoint );
			} catch( err ) {
				logger.error( err, 'OAuthRedirectError' );
				return fastify.httpErrors.unauthorized();
			}
		}
	} );

Expected Behavior

The generateStateFunction to be called when using a custom handler using generateAuthorizationUri.

dmidz commented

I am working on the fix.