better-auth 0.3.5 → 0.3.6

package/dist/api.js

@@ -1365,6 +1365,26 @@ var callbackOAuth = createAuthEndpoint(
         `${c.context.baseURL}/error?error=oauth_provider_not_found`
       );
     }
+    const parsedState = parseState(c.query.state);
+    if (!parsedState.success) {
+      c.context.logger.error("Unable to parse state");
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=please_restart_the_process`
+      );
+    }
+    const {
+      data: { callbackURL, currentURL, dontRememberMe, code }
+    } = parsedState;
+    const storedCode = await c.getSignedCookie(
+      c.context.authCookies.state.name,
+      c.context.secret
+    );
+    if (storedCode !== code) {
+      logger.error("Oauth code mismatch", storedCode, code);
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=please_restart_the_process`
+      );
+    }
     const codeVerifier = await c.getSignedCookie(
       c.context.authCookies.pkCodeVerifier.name,
       c.context.secret
@@ -1379,7 +1399,7 @@ var callbackOAuth = createAuthEndpoint(
     } catch (e) {
       c.context.logger.error(e);
       throw c.redirect(
-        `${c.context.baseURL}/error?error=oauth_code_verification_failed`
+        `${c.context.baseURL}/error?error=please_restart_the_process`
       );
     }
     const user = await provider.getUserInfo(tokens).then((res) => res?.user);
@@ -1388,23 +1408,15 @@ var callbackOAuth = createAuthEndpoint(
       ...user,
       id
     });
-    const parsedState = parseState(c.query.state);
-    if (!parsedState.success) {
-      c.context.logger.error("Unable to parse state");
-      throw c.redirect(
-        `${c.context.baseURL}/error?error=invalid_state_parameter`
-      );
-    }
-    const { callbackURL, currentURL, dontRememberMe } = parsedState.data;
     if (!user || data.success === false) {
       logger.error("Unable to get user info", data.error);
       throw c.redirect(
-        `${c.context.baseURL}/error?error=oauth_validation_failed`
+        `${c.context.baseURL}/error?error=please_restart_the_process`
       );
     }
     if (!callbackURL) {
       throw c.redirect(
-        `${c.context.baseURL}/error?error=oauth_callback_url_not_found`
+        `${c.context.baseURL}/error?error=please_restart_the_process`
       );
     }
     const dbUser = await c.context.internalAdapter.findUserByEmail(user.email).catch((e) => {
@@ -1491,7 +1503,7 @@ var callbackOAuth = createAuthEndpoint(
         throw c.redirect(url.toString());
       }
     } catch {
-      const url = new URL(currentURL || callbackURL);
+      const url = new URL(currentURL || callbackURL || "");
       url.searchParams.set("error", "unable_to_create_session");
       throw c.redirect(url.toString());
     }

package/dist/index.js

@@ -1474,6 +1474,26 @@ var callbackOAuth = createAuthEndpoint(
         `${c.context.baseURL}/error?error=oauth_provider_not_found`
       );
     }
+    const parsedState = parseState(c.query.state);
+    if (!parsedState.success) {
+      c.context.logger.error("Unable to parse state");
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=please_restart_the_process`
+      );
+    }
+    const {
+      data: { callbackURL, currentURL, dontRememberMe, code }
+    } = parsedState;
+    const storedCode = await c.getSignedCookie(
+      c.context.authCookies.state.name,
+      c.context.secret
+    );
+    if (storedCode !== code) {
+      logger.error("Oauth code mismatch", storedCode, code);
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=please_restart_the_process`
+      );
+    }
     const codeVerifier = await c.getSignedCookie(
       c.context.authCookies.pkCodeVerifier.name,
       c.context.secret
@@ -1488,7 +1508,7 @@ var callbackOAuth = createAuthEndpoint(
     } catch (e) {
       c.context.logger.error(e);
       throw c.redirect(
-        `${c.context.baseURL}/error?error=oauth_code_verification_failed`
+        `${c.context.baseURL}/error?error=please_restart_the_process`
       );
     }
     const user = await provider.getUserInfo(tokens).then((res) => res?.user);
@@ -1497,23 +1517,15 @@ var callbackOAuth = createAuthEndpoint(
       ...user,
       id
     });
-    const parsedState = parseState(c.query.state);
-    if (!parsedState.success) {
-      c.context.logger.error("Unable to parse state");
-      throw c.redirect(
-        `${c.context.baseURL}/error?error=invalid_state_parameter`
-      );
-    }
-    const { callbackURL, currentURL, dontRememberMe } = parsedState.data;
     if (!user || data.success === false) {
       logger.error("Unable to get user info", data.error);
       throw c.redirect(
-        `${c.context.baseURL}/error?error=oauth_validation_failed`
+        `${c.context.baseURL}/error?error=please_restart_the_process`
       );
     }
     if (!callbackURL) {
       throw c.redirect(
-        `${c.context.baseURL}/error?error=oauth_callback_url_not_found`
+        `${c.context.baseURL}/error?error=please_restart_the_process`
       );
     }
     const dbUser = await c.context.internalAdapter.findUserByEmail(user.email).catch((e) => {
@@ -1600,7 +1612,7 @@ var callbackOAuth = createAuthEndpoint(
         throw c.redirect(url.toString());
       }
     } catch {
-      const url = new URL(currentURL || callbackURL);
+      const url = new URL(currentURL || callbackURL || "");
       url.searchParams.set("error", "unable_to_create_session");
       throw c.redirect(url.toString());
     }

package/dist/plugins.js

@@ -1286,6 +1286,26 @@ var callbackOAuth = createAuthEndpoint(
         `${c.context.baseURL}/error?error=oauth_provider_not_found`
       );
     }
+    const parsedState = parseState(c.query.state);
+    if (!parsedState.success) {
+      c.context.logger.error("Unable to parse state");
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=please_restart_the_process`
+      );
+    }
+    const {
+      data: { callbackURL, currentURL, dontRememberMe, code }
+    } = parsedState;
+    const storedCode = await c.getSignedCookie(
+      c.context.authCookies.state.name,
+      c.context.secret
+    );
+    if (storedCode !== code) {
+      logger.error("Oauth code mismatch", storedCode, code);
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=please_restart_the_process`
+      );
+    }
     const codeVerifier = await c.getSignedCookie(
       c.context.authCookies.pkCodeVerifier.name,
       c.context.secret
@@ -1300,7 +1320,7 @@ var callbackOAuth = createAuthEndpoint(
     } catch (e) {
       c.context.logger.error(e);
       throw c.redirect(
-        `${c.context.baseURL}/error?error=oauth_code_verification_failed`
+        `${c.context.baseURL}/error?error=please_restart_the_process`
       );
     }
     const user = await provider.getUserInfo(tokens).then((res) => res?.user);
@@ -1309,23 +1329,15 @@ var callbackOAuth = createAuthEndpoint(
       ...user,
       id
     });
-    const parsedState = parseState(c.query.state);
-    if (!parsedState.success) {
-      c.context.logger.error("Unable to parse state");
-      throw c.redirect(
-        `${c.context.baseURL}/error?error=invalid_state_parameter`
-      );
-    }
-    const { callbackURL, currentURL, dontRememberMe } = parsedState.data;
     if (!user || data.success === false) {
       logger.error("Unable to get user info", data.error);
       throw c.redirect(
-        `${c.context.baseURL}/error?error=oauth_validation_failed`
+        `${c.context.baseURL}/error?error=please_restart_the_process`
       );
     }
     if (!callbackURL) {
       throw c.redirect(
-        `${c.context.baseURL}/error?error=oauth_callback_url_not_found`
+        `${c.context.baseURL}/error?error=please_restart_the_process`
       );
     }
     const dbUser = await c.context.internalAdapter.findUserByEmail(user.email).catch((e) => {
@@ -1412,7 +1424,7 @@ var callbackOAuth = createAuthEndpoint(
         throw c.redirect(url.toString());
       }
     } catch {
-      const url = new URL(currentURL || callbackURL);
+      const url = new URL(currentURL || callbackURL || "");
       url.searchParams.set("error", "unable_to_create_session");
       throw c.redirect(url.toString());
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "0.3.5",
+  "version": "0.3.6",
   "description": "The most comprehensive authentication library for TypeScript.",
   "type": "module",
   "main": "./dist/index.js",