From 3334e591b96c7a865958cb716045c7b0496b15c4 Mon Sep 17 00:00:00 2001
From: Aleix <nigeon@gmail.com>
Date: Wed, 8 Nov 2023 18:08:20 +0100
Subject: [PATCH] Added state that contains a json base64 encoded with the
 request state params

---
 handlers.go               |  4 ++--
 oauthhandler/providers.go | 13 ++++++++++---
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/handlers.go b/handlers.go
index 3f4a2f3..1303796 100644
--- a/handlers.go
+++ b/handlers.go
@@ -155,13 +155,13 @@ func (f *faucet) authOAuthUrl(msg *apirest.APIdata, ctx *httprouter.HTTPContext)
 
 	type r struct {
 		RedirectURL string `json:"redirectURL"`
+		State       string `json:"state"`
 	}
 	newAuthUrlRequest := r{}
 	if err := json.Unmarshal(msg.Data, &newAuthUrlRequest); err != nil {
 		return ctx.Send(new(HandlerResponse).SetError(err.Error()).MustMarshall(), CodeErrIncorrectParams)
 	}
 
-	redirectURL := newAuthUrlRequest.RedirectURL
 	provider, ok := providers[requestedProvider]
 	if !ok {
 		return ctx.Send(new(HandlerResponse).SetError(ReasonErrOauthProviderNotFound).MustMarshall(), CodeErrOauthProviderNotFound)
@@ -170,7 +170,7 @@ func (f *faucet) authOAuthUrl(msg *apirest.APIdata, ctx *httprouter.HTTPContext)
 	type urlResponse struct {
 		Url string `json:"url"`
 	}
-	authURL := urlResponse{Url: provider.GetAuthURL(redirectURL)}
+	authURL := urlResponse{Url: provider.GetAuthURL(newAuthUrlRequest.RedirectURL, newAuthUrlRequest.State)}
 	return ctx.Send(new(HandlerResponse).Set(authURL).MustMarshall(), apirest.HTTPstatusOK)
 }
 
diff --git a/oauthhandler/providers.go b/oauthhandler/providers.go
index 5d4c514..b50fb85 100644
--- a/oauthhandler/providers.go
+++ b/oauthhandler/providers.go
@@ -100,13 +100,14 @@ func InitProviders() (map[string]*Provider, error) {
 }
 
 // GetAuthURL returns the OAuth authorize URL for the provider.
-func (p *Provider) GetAuthURL(redirectURL string) string {
+func (p *Provider) GetAuthURL(redirectURL string, state string) string {
 	u, _ := url.Parse(p.AuthURL)
 	q := u.Query()
 	q.Set("client_id", p.ClientID)
 	q.Set("redirect_uri", redirectURL)
 	q.Set("scope", p.Scope)
-	q.Set("response_type", "token")
+	q.Set("response_type", "code")
+	q.Set("state", state)
 	u.RawQuery = q.Encode()
 	return u.String()
 }
@@ -118,7 +119,12 @@ func (p *Provider) GetOAuthToken(code string, redirectURL string) (*OAuthToken,
 	data.Set("client_id", p.ClientID)
 	data.Set("client_secret", p.ClientSecret)
 	data.Set("redirect_uri", redirectURL)
-	data.Set("code", code)
+
+	unescapedCode, err := url.QueryUnescape(code)
+	if err != nil {
+		return nil, err
+	}
+	data.Set("code", unescapedCode)
 
 	req, err := http.NewRequest("POST", p.TokenURL, strings.NewReader(data.Encode()))
 	if err != nil {
@@ -143,6 +149,7 @@ func (p *Provider) GetOAuthToken(code string, redirectURL string) (*OAuthToken,
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
+		log.Warnw("failed to get OAuth token", "body", string(body))
 		return nil, fmt.Errorf("failed to get OAuth token: %s", body)
 	}