videah/SkyBridge

`OAuthAuthorizeParams` does not include `state`

jasonculverhouse opened this issue · 0 comments

jasonculverhouse commented

I think that this would resolve a lot of issues that people are having using various clients?

If a state parameter is included in the application login setup it also needs to be echoed back in the redirect.

I think this diff will include that state. I need to setup up a local dev environment so that I can regenerate some file.

for instance if state=ZZZ is passed in then it also need to be carried through to the redirectUriWithCode

 https://skybridge.fly.dev/oauth/authorize?response_type=code&client_id=XXX&redirect_uri=https://XXX&scope=read%20write&state=ZZZ

diff --git a/lib/models/oauth/oauth_authorize_params.dart b/lib/models/oauth/oauth_authorize_params.dart
index 22b2513..e670305 100644
--- a/lib/models/oauth/oauth_authorize_params.dart
+++ b/lib/models/oauth/oauth_authorize_params.dart
@@ -12,6 +12,7 @@ class OAuthAuthorizeParams {
     required this.responseType,
     required this.clientId,
     required this.redirectUri,
+    this.state,
     this.scope = 'read',
     this.forceLogin,
     this.lang,
@@ -39,6 +40,9 @@ class OAuthAuthorizeParams {
   @JsonKey(name: 'redirect_uri')
   final String redirectUri;
 
+  /// The state parameter to maintain state between the request and callback.
+  final String? state; // Optional state field
+
   /// List of requested OAuth scopes, separated by spaces.
   /// Must be a subset of scopes declared during app registration.
   /// If not provided, defaults to read.
diff --git a/routes/oauth/authorize.dart b/routes/oauth/authorize.dart
index ced3da1..07a9cd1 100644
--- a/routes/oauth/authorize.dart
+++ b/routes/oauth/authorize.dart
@@ -117,10 +117,14 @@ Future<Response> _post(RequestContext context) async {
 
   final signedCode = packObject(code.toJson());
   final redirectUri = Uri.parse(auth.redirectUri);
+
+  final Map<String, String> queryParams = {'code': signedCode};
+  if (auth.state != null) {
+    queryParams['state'] = auth.state!;
+  }
+
   final redirectUriWithCode = redirectUri.replace(
-    queryParameters: {
-      'code': signedCode,
-    },
+    queryParameters: queryParams,
   );
 
   return Response(