[SDK-2943] Add check for state in handleRedirectCallback

[stevehobbsdev]

Changes

This PR re-adds the check for a matching state value when handling the callback from Auth0. We used to perform this check differently, as the transaction key used to contain the state value (so getting the transaction implictly meant that the state would have to match). However, this check was removed when we removed the state from the transaction key.

As this SDK enforces PKCE which already enables sufficient CSRF protection, this state check is not necessary to perform. However, we do continue to send a state param to the IdP and the specification states that the state must be validated if one is sent to the /authorize endpoint (see sections 4.1.2 and 10.12 of RFC6749).

Rather than remove sending the state value, we've chosen to re-add the check, which should present no issues to customers, but does provide better optics than just removing state.

References

SDK-2943 (internal ticket)

Testing

• This change adds unit test coverage
• This change adds integration test coverage
• This change has been tested on the latest version of the platform/language

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All code quality tools/guidelines have been run/followed

[stevehobbsdev]

This being pinned, as there is a potential issue with 6.1.0, have raised it: yowainwright/es-check#139