fix: oauth state split

lakhansamani · lakhansamani · commit fd9eb7c7338d · 2022-03-08T19:13:45.000+05:30
diff --git a/server/handlers/oauth_callback.go b/server/handlers/oauth_callback.go
@@ -37,7 +37,7 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		}
 		sessionstore.GetState(state)
 		// contains random token, redirect url, role
-		sessionSplit := strings.Split(state, "@")
+		sessionSplit := strings.Split(state, "___")
 
 		if len(sessionSplit) < 3 {
 			c.JSON(400, gin.H{"error": "invalid redirect url"})
diff --git a/server/handlers/oauth_login.go b/server/handlers/oauth_login.go
@@ -58,7 +58,7 @@ func OAuthLoginHandler() gin.HandlerFunc {
 			roles = strings.Join(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")
 		}
 
-		oauthStateString := state + "@" + redirectURI + "@" + roles + "@" + strings.Join(scope, ",")
+		oauthStateString := state + "___" + redirectURI + "___" + roles + "___" + strings.Join(scope, ",")
 
 		provider := c.Param("oauth_provider")
 		isProviderConfigured := true

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ func OAuthCallbackHandler() gin.HandlerFunc {`
`37`	`37`	`}`
`38`	`38`	`sessionstore.GetState(state)`
`39`	`39`	`// contains random token, redirect url, role`
`40`		`- sessionSplit := strings.Split(state, "@")`
	`40`	`+ sessionSplit := strings.Split(state, "___")`
`41`	`41`
`42`	`42`	`if len(sessionSplit) < 3 {`
`43`	`43`	`c.JSON(400, gin.H{"error": "invalid redirect url"})`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ func OAuthLoginHandler() gin.HandlerFunc {`
`58`	`58`	`roles = strings.Join(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")`
`59`	`59`	`}`
`60`	`60`
`61`		`- oauthStateString := state + "@" + redirectURI + "@" + roles + "@" + strings.Join(scope, ",")`
	`61`	`+ oauthStateString := state + "___" + redirectURI + "___" + roles + "___" + strings.Join(scope, ",")`
`62`	`62`
`63`	`63`	`provider := c.Param("oauth_provider")`
`64`	`64`	`isProviderConfigured := true`