fix: revert "fix: do not require state parameter to create a token (#288)"

This reverts commit f14c68e.

Author: wolfy1339

README.md

@@ -442,6 +442,7 @@ For the web flow, you have to pass the `code` from URL redirect described in [st
 
 ```js
 const { token } = await app.createToken({
+  state: "state123",
   code: "code123",
 });
 ```

src/middleware/handle-request.ts

@@ -1,5 +1,5 @@
 import { OAuthApp } from "../index";
-import { HandlerOptions, OctokitRequest, OctokitResponse } from "./types";
+import { OctokitRequest, OctokitResponse, HandlerOptions } from "./types";
 import { ClientType, Options } from "../types";
 // @ts-ignore - requires esModuleInterop flag
 import fromEntries from "fromentries";
@@ -89,13 +89,16 @@ export async function handleRequest(
           `[@octokit/oauth-app] ${query.error} ${query.error_description}`
         );
       }
-      if (!query.code) {
-        throw new Error('[@octokit/oauth-app] "code" parameter is required');
+      if (!query.state || !query.code) {
+        throw new Error(
+          '[@octokit/oauth-app] Both "code" & "state" parameters are required'
+        );
       }
 
       const {
         authentication: { token },
       } = await app.createToken({
+        state: query.state,
         code: query.code,
       });
 
@@ -111,13 +114,16 @@ export async function handleRequest(
     }
 
     if (route === routes.createToken) {
-      const { code, redirectUrl } = json;
+      const { state: oauthState, code, redirectUrl } = json;
 
-      if (!code) {
-        throw new Error('[@octokit/oauth-app] "code" parameter is required');
+      if (!oauthState || !code) {
+        throw new Error(
+          '[@octokit/oauth-app] Both "code" & "state" parameters are required'
+        );
       }
 
       const result = await app.createToken({
+        state: oauthState,
         code,
         redirectUrl,
       });

src/middleware/web-worker/index.ts

@@ -13,8 +13,8 @@ async function onUnhandledRequestDefaultWebWorker(
   return sendResponse(octokitResponse);
 }
 
-export function createWebWorkerHandler<T>(
-  app: OAuthApp<T>,
+export function createWebWorkerHandler(
+  app: OAuthApp,
   {
     pathPrefix,
     onUnhandledRequest = onUnhandledRequestDefaultWebWorker,

test/app.test.ts

@@ -92,7 +92,9 @@ describe("app", () => {
       clientId: "0123",
       clientSecret: "0123secret",
     });
-    const { url } = app.getWebFlowAuthorizationUrl({ state: "state123" });
+    const { url } = app.getWebFlowAuthorizationUrl({
+      state: "state123",
+    });
     expect(url).toStrictEqual(
       "https://github.com/login/oauth/authorize?allow_signup=true&client_id=0123&state=state123"
     );
@@ -103,7 +105,9 @@ describe("app", () => {
       clientId: "lv1.0123",
       clientSecret: "0123secret",
     });
-    const { url } = app.getWebFlowAuthorizationUrl({ state: "state123" });
+    const { url } = app.getWebFlowAuthorizationUrl({
+      state: "state123",
+    });
     expect(url).toStrictEqual(
       "https://github.com/login/oauth/authorize?allow_signup=true&client_id=lv1.0123&state=state123"
     );
@@ -124,6 +128,7 @@ describe("app", () => {
             client_id: "0123",
             client_secret: "0123secret",
             code: "code123",
+            state: "state123",
           },
         }
       )
@@ -153,6 +158,7 @@ describe("app", () => {
     app.on("token.created", onTokenCallback);
 
     const result = await app.createToken({
+      state: "state123",
       code: "code123",
     });
 
@@ -189,6 +195,7 @@ describe("app", () => {
   it("app.createToken(options) for device flow", async () => {
     const mock = fetchMock
       .sandbox()
+
       .postOnce(
         "https://github.com/login/device/code",
         {
@@ -937,6 +944,7 @@ describe("app", () => {
             client_id: "0123",
             client_secret: "0123secret",
             code: "code123",
+            state: "state123",
           },
         }
       )
@@ -977,6 +985,7 @@ describe("app", () => {
     app.on("token.created", onTokenCallback2);
 
     await app.createToken({
+      state: "state123",
       code: "code123",
     });
 

test/node-middleware.test.ts

@@ -2,7 +2,7 @@ import { createServer } from "http";
 import { URL } from "url";
 
 import fetch from "node-fetch";
-import { createNodeMiddleware, OAuthApp } from "../src/";
+import { OAuthApp, createNodeMiddleware } from "../src/";
 
 // import without types
 const express = require("express");
@@ -152,6 +152,7 @@ describe("createNodeMiddleware(app)", () => {
 
     expect(appMock.createToken.mock.calls.length).toEqual(1);
     expect(appMock.createToken.mock.calls[0][0]).toStrictEqual({
+      state: "state123",
       code: "012345",
     });
   });
@@ -179,6 +180,7 @@ describe("createNodeMiddleware(app)", () => {
         method: "POST",
         body: JSON.stringify({
           code: "012345",
+          state: "state123",
           redirectUrl: "http://example.com",
         }),
       }
@@ -193,6 +195,7 @@ describe("createNodeMiddleware(app)", () => {
 
     expect(appMock.createToken.mock.calls.length).toEqual(1);
     expect(appMock.createToken.mock.calls[0][0]).toStrictEqual({
+      state: "state123",
       code: "012345",
       redirectUrl: "http://example.com",
     });
@@ -568,7 +571,8 @@ describe("createNodeMiddleware(app)", () => {
 
     expect(response.status).toEqual(400);
     expect(await response.json()).toStrictEqual({
-      error: '[@octokit/oauth-app] "code" parameter is required',
+      error:
+        '[@octokit/oauth-app] Both "code" & "state" parameters are required',
     });
   });
 
@@ -615,7 +619,8 @@ describe("createNodeMiddleware(app)", () => {
 
     expect(response.status).toEqual(400);
     expect(await response.json()).toStrictEqual({
-      error: '[@octokit/oauth-app] "code" parameter is required',
+      error:
+        '[@octokit/oauth-app] Both "code" & "state" parameters are required',
     });
   });
 

test/web-worker-handler.test.ts

@@ -139,6 +139,7 @@ describe("createWebWorkerHandler(app)", () => {
 
     expect(appMock.createToken.mock.calls.length).toEqual(1);
     expect(appMock.createToken.mock.calls[0][0]).toStrictEqual({
+      state: "state123",
       code: "012345",
     });
   });
@@ -161,6 +162,7 @@ describe("createWebWorkerHandler(app)", () => {
       method: "POST",
       body: JSON.stringify({
         code: "012345",
+        state: "state123",
         redirectUrl: "http://example.com",
       }),
     });
@@ -173,6 +175,7 @@ describe("createWebWorkerHandler(app)", () => {
 
     expect(appMock.createToken.mock.calls.length).toEqual(1);
     expect(appMock.createToken.mock.calls[0][0]).toStrictEqual({
+      state: "state123",
       code: "012345",
       redirectUrl: "http://example.com",
     });
@@ -464,7 +467,8 @@ describe("createWebWorkerHandler(app)", () => {
 
     expect(response.status).toEqual(400);
     expect(await response.json()).toStrictEqual({
-      error: '[@octokit/oauth-app] "code" parameter is required',
+      error:
+        '[@octokit/oauth-app] Both "code" & "state" parameters are required',
     });
   });
 
@@ -500,7 +504,8 @@ describe("createWebWorkerHandler(app)", () => {
 
     expect(response.status).toEqual(400);
     expect(await response.json()).toStrictEqual({
-      error: '[@octokit/oauth-app] "code" parameter is required',
+      error:
+        '[@octokit/oauth-app] Both "code" & "state" parameters are required',
     });
   });