fix: missing code_challenge and state mismatch

src/runtime/server/lib/oauth/azureb2c.ts

@@ -105,7 +105,6 @@ export function defineOAuthAzureB2CEventHandler({ config, onSuccess, onError }:
       return handleInvalidState(event, 'azureb2c', onError)
     }
 
-    console.info('code verifier', verifier.code_verifier)
     const tokens = await requestAccessToken(tokenURL, {
       body: {
         grant_type: 'authorization_code',

src/runtime/server/lib/utils.ts

@@ -182,26 +182,29 @@ function getRandomBytes(size: number = 32) {
 }
 
 export async function handlePkceVerifier(event: H3Event) {
-  let verifier = getCookie(event, 'nuxt-auth-pkce')
-  if (verifier) {
-    deleteCookie(event, 'nuxt-auth-pkce')
-    return { code_verifier: verifier }
-  }
+  const query = getQuery<{ code?: string }>(event)
 
   // Create new verifier
-  verifier = encodeBase64Url(getRandomBytes())
-  setCookie(event, 'nuxt-auth-pkce', verifier)
-
-  // Get pkce
-  const encodedPkce = new TextEncoder().encode(verifier)
-  const pkceHash = await subtle.digest('SHA-256', encodedPkce)
-  const pkce = encodeBase64Url(new Uint8Array(pkceHash))
-
-  return {
-    code_verifier: verifier,
-    code_challenge: pkce,
-    code_challenge_method: 'S256',
+  if (!query.code) {
+    const verifier = encodeBase64Url(getRandomBytes())
+    setCookie(event, 'nuxt-auth-pkce', verifier)
+
+    // Get pkce
+    const encodedPkce = new TextEncoder().encode(verifier)
+    const pkceHash = await subtle.digest('SHA-256', encodedPkce)
+    const pkce = encodeBase64Url(new Uint8Array(pkceHash))
+
+    return {
+      code_verifier: verifier,
+      code_challenge: pkce,
+      code_challenge_method: 'S256',
+    }
   }
+  // If the verifier is in the cookie, get it from the cookie and delete the cookie
+  const verifier = getCookie(event, 'nuxt-auth-pkce')
+  deleteCookie(event, 'nuxt-auth-pkce')
+
+  return { code_verifier: verifier }
 }
 
 export async function handleState(event: H3Event) {