fix: properly handle state if cookie already exists

resolves #461

Author: atinux

src/runtime/server/lib/oauth/ory.ts

@@ -126,7 +126,7 @@ export function defineOAuthOryEventHandler({ config, onSuccess, onError }: OAuth
     }
 
     if (query.state !== state) {
-      handleInvalidState(event, 'ory', onError)
+      return handleInvalidState(event, 'ory', onError)
     }
 
     const tokenURL = `${config.sdkURL}${config.tokenURL}`

src/runtime/server/lib/utils.ts

@@ -1,4 +1,4 @@
-import { type H3Event, deleteCookie, getCookie, setCookie } from 'h3'
+import { type H3Event, deleteCookie, getCookie, getQuery, setCookie } from 'h3'
 import { getRequestURL } from 'h3'
 import { FetchError } from 'ofetch'
 import { snakeCase, upperFirst } from 'scule'
@@ -205,13 +205,16 @@ export async function handlePkceVerifier(event: H3Event) {
 }
 
 export async function handleState(event: H3Event) {
-  let state = getCookie(event, 'nuxt-auth-state')
-  if (state) {
+  const query = getQuery<{ state?: string }>(event)
+  // If the state is in the query, get it from the cookie and delete the cookie
+  if (query.state) {
+    const state = getCookie(event, 'nuxt-auth-state')
     deleteCookie(event, 'nuxt-auth-state')
     return state
   }
 
-  state = encodeBase64Url(getRandomBytes(8))
+  // If the state is not in the query, generate a new state and set it in the cookie
+  const state = encodeBase64Url(getRandomBytes(8))
   setCookie(event, 'nuxt-auth-state', state)
   return state
 }