fix: missing code_challenge and state mismatch (#465)

jals1212 · atinux · web-flow · commit de77149fa549 · 2025-12-09T15:05:39.000+01:00
Co-authored-by: Sébastien Chopin &lt;seb@nuxt.com&gt;
Co-authored-by: Sébastien Chopin &lt;atinux@gmail.com&gt;
diff --git a/src/runtime/server/lib/oauth/azureb2c.ts b/src/runtime/server/lib/oauth/azureb2c.ts
@@ -105,7 +105,6 @@ export function defineOAuthAzureB2CEventHandler({ config, onSuccess, onError }:
       return handleInvalidState(event, 'azureb2c', onError)
     }
 
-    console.info('code verifier', verifier.code_verifier)
     const tokens = await requestAccessToken(tokenURL, {
       body: {
         grant_type: 'authorization_code',
diff --git a/src/runtime/server/lib/utils.ts b/src/runtime/server/lib/utils.ts
@@ -182,26 +182,29 @@ function getRandomBytes(size: number = 32) {
 }
 
 export async function handlePkceVerifier(event: H3Event) {
-  let verifier = getCookie(event, 'nuxt-auth-pkce')
-  if (verifier) {
-    deleteCookie(event, 'nuxt-auth-pkce')
-    return { code_verifier: verifier }
-  }
+  const query = getQuery<{ code?: string }>(event)
 
   // Create new verifier
-  verifier = encodeBase64Url(getRandomBytes())
-  setCookie(event, 'nuxt-auth-pkce', verifier)
-
-  // Get pkce
-  const encodedPkce = new TextEncoder().encode(verifier)
-  const pkceHash = await subtle.digest('SHA-256', encodedPkce)
-  const pkce = encodeBase64Url(new Uint8Array(pkceHash))
-
-  return {
-    code_verifier: verifier,
-    code_challenge: pkce,
-    code_challenge_method: 'S256',
+  if (!query.code) {
+    const verifier = encodeBase64Url(getRandomBytes())
+    setCookie(event, 'nuxt-auth-pkce', verifier)
+
+    // Get pkce
+    const encodedPkce = new TextEncoder().encode(verifier)
+    const pkceHash = await subtle.digest('SHA-256', encodedPkce)
+    const pkce = encodeBase64Url(new Uint8Array(pkceHash))
+
+    return {
+      code_verifier: verifier,
+      code_challenge: pkce,
+      code_challenge_method: 'S256',
+    }
   }
+  // If the verifier is in the cookie, get it from the cookie and delete the cookie
+  const verifier = getCookie(event, 'nuxt-auth-pkce')
+  deleteCookie(event, 'nuxt-auth-pkce')
+
+  return { code_verifier: verifier }
 }
 
 export async function handleState(event: H3Event) {

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,6 @@ export function defineOAuthAzureB2CEventHandler({ config, onSuccess, onError }:`
`105`	`105`	`return handleInvalidState(event, 'azureb2c', onError)`
`106`	`106`	`}`
`107`	`107`
`108`		`- console.info('code verifier', verifier.code_verifier)`
`109`	`108`	`const tokens = await requestAccessToken(tokenURL, {`
`110`	`109`	`body: {`
`111`	`110`	`grant_type: 'authorization_code',`