Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid state with Github provider (err 500) #255

Open
2 tasks done
Kayoshi-dev opened this issue Apr 19, 2024 · 3 comments
Open
2 tasks done

Invalid state with Github provider (err 500) #255

Kayoshi-dev opened this issue Apr 19, 2024 · 3 comments

Comments

@Kayoshi-dev
Copy link

Kayoshi-dev commented Apr 19, 2024
edited
Loading

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the bug has not already been reported

Fastify version

4.26.2

Plugin version

7.8.0

Node.js version

20.5.1

Operating system

macOS

Operating system version (i.e. 20.04, 11.3, 10)

14.4.1

Description

Hello,

While using the Github provider, I noticed something strange.

When setting the startRedirectPath, if you put a / in the path, it breaks the Github provider.

So, for example, if you set the startRedirectPath to /login/github and try to connect, you will get a result from the callback that looks like this

{
  "statusCode": 500,
  "error": "Internal Server Error",
  "message": "Invalid state"
}

But, setting the startRedirectPath to something like /github instantly works, so I think there's a bug somewhere.

Maybe worth to know, I use the autoload to load all my routes like that :

fastify.register(autoLoad, {
  dir: path.join(__dirname, "src/routes"),
  options: { prefix: "/api" },
});

From what I can see, it looks like the state and stateCookie variables are not equal in the defaultCheckStateFunction function in the index.js of the package. But I have no idea why.

Steps to Reproduce

fastify.register(oAuthPlugin, {
  name: "oauthName",

  credentials: {
    client: {
      id: "xxx",
      secret: "xxx",
    },
    auth: oAuthPlugin.GITHUB_CONFIGURATION,
  },

  startRedirectPath: "/login/github",
  callbackUri: "http://localhost:3000/api/auth/providers/github/callback",
});

Expected Behavior

No response
@FlawTECH
Copy link

I'm pretty sure this is the issue I was facing here.
The module's cookie (oauth2-redirect-state) path set by startRedirectPath is set to /login, and your callbackUri is at /api/auth/[...] which is outside of /login.

When changing startRedirectPath to /github, the cookie path is /, so the cookie is available everywhere

@shellvon
Copy link

@FlawTECH you are right, one solution is make sure startRedirectPath and callbackUri has same prefix path

or another solution is pass a cookie params without change startRedirectPath or callbackUri:

fastify.register(fastifyOauth2, {
    // The documentation says the default `path` is / , but it's not actually ~
    cookie: {
      path: "/",
    }
}

certainly, you can custom checkStateFunction and generateStateFunction without use cookie. eg: maybe store state in redis

@shellvon
Copy link

When I was planning to submit a documentation fix for the cookie.path annotation in @fastify/fastify-cookie today, I found that it had already been addressed in version 9.4.0.

more details please see here: fastify/fastify-cookie#284

also,

https://stackoverflow.com/questions/43324480/how-does-a-browser-handle-cookie-with-no-path-and-no-domain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shellvon @Kayoshi-dev @FlawTECH