Check for state as well to reduce collisions with other code params (#…

…107)
auth0 · Sep 2, 2020 · b6a4f99 · b6a4f99
1 parent bb8ec72
commit b6a4f99
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/__tests__/utils.test.tsx b/__tests__/utils.test.tsx
@@ -2,12 +2,21 @@ import { hasAuthParams, loginError, tokenError } from '../src/utils';
 import { OAuthError } from '../src/errors';
 
 describe('utils hasAuthParams', () => {
-  it('should recognise the code param', async () => {
+  it('should not recognise only the code param', async () => {
     ['?code=1', '?foo=1&code=2', '?code=1&foo=2'].forEach((search) =>
-      expect(hasAuthParams(search)).toBeTruthy()
+      expect(hasAuthParams(search)).toBeFalsy()
     );
   });
 
+  it('should recognise the code and state param', async () => {
+    [
+      '?code=1&state=2',
+      '?foo=1&state=2&code=3',
+      '?code=1&foo=2&state=3',
+      '?state=1&code=2&foo=3',
+    ].forEach((search) => expect(hasAuthParams(search)).toBeTruthy());
+  });
+
   it('should recognise the error param', async () => {
     ['?error=1', '?foo=1&error=2', '?error=1&foo=2'].forEach((search) =>
       expect(hasAuthParams(search)).toBeTruthy()

diff --git a/src/utils.tsx b/src/utils.tsx
@@ -5,10 +5,12 @@ import {
 import { OAuthError } from './errors';
 
 const CODE_RE = /[?&]code=[^&]+/;
+const STATE_RE = /[?&]state=[^&]+/;
 const ERROR_RE = /[?&]error=[^&]+/;
 
 export const hasAuthParams = (searchParams = window.location.search): boolean =>
-  CODE_RE.test(searchParams) || ERROR_RE.test(searchParams);
+  (CODE_RE.test(searchParams) && STATE_RE.test(searchParams)) ||
+  ERROR_RE.test(searchParams);
 
 const normalizeErrorFn = (fallbackMessage: string) => (
   error: Error | { error: string; error_description?: string } | ProgressEvent