ciphera-net/pulse
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 15 Wiki Activity

fix: treat session-flow callback (no state) as valid when coming from auth hub

Browse Source 
Made-with: Cursor
This commit is contained in:
Usman Baig
2026-02-26 14:26:54 +01:00
parent 40fe34014c
commit 1edd78672e
1 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
app/auth/callback/page.tsx
View File

@@ -56,12 +56,15 @@ function AuthCallbackContent() {
const storedState = localStorage.getItem('oauth_state')
const codeVerifier = localStorage.getItem('oauth_code_verifier')
// * Full OAuth flow (app-initiated): validate state + use PKCE
// * Session-authorized flow (from auth hub): no stored state or verifier
const isFullOAuth = !!storedState && !!codeVerifier
if (isFullOAuth) {
if (state !== storedState) {
// * Session flow (from auth hub): redirect has code but no state. Clear stale PKCE
// * data from any previous app-initiated OAuth so exchange proceeds without validation.
if (!state) {
localStorage.removeItem('oauth_state')
localStorage.removeItem('oauth_code_verifier')
} else {
// * Full OAuth flow (app-initiated): validate state + use PKCE
const isFullOAuth = !!storedState && !!codeVerifier
if (isFullOAuth && state !== storedState) {
logger.error('State mismatch', { received: state, stored: storedState })
setError('Invalid state')
return