fix: fix nonce in redirect function in AbstractProvider

albertcht · albertcht · commit 93ad80409b59 · 2025-06-12T20:35:52.000+08:00
diff --git a/src/socialite/src/Two/AbstractProvider.php b/src/socialite/src/Two/AbstractProvider.php
@@ -74,7 +74,7 @@ public function __construct(
     /**
      * Get the authentication URL for the provider.
      */
-    abstract protected function getAuthUrl(string $state): string;
+    abstract protected function getAuthUrl(?string $state): string;
 
     /**
      * Get the token URL for the provider.
@@ -114,7 +114,7 @@ public function redirect(): ResponseInterface
     /**
      * Build the authentication URL for the provider from the given base URL.
      */
-    protected function buildAuthUrlFromBase(string $url, string $state): string
+    protected function buildAuthUrlFromBase(string $url, ?string $state): string
     {
         return $url . '?' . http_build_query($this->getCodeFields($state), '', '&', $this->encodingType);
     }
diff --git a/src/socialite/src/Two/BitbucketProvider.php b/src/socialite/src/Two/BitbucketProvider.php
@@ -20,7 +20,7 @@ class BitbucketProvider extends AbstractProvider implements ProviderInterface
      */
     protected string $scopeSeparator = ' ';
 
-    protected function getAuthUrl(string $state): string
+    protected function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase('https://bitbucket.org/site/oauth2/authorize', $state);
     }
diff --git a/src/socialite/src/Two/FacebookProvider.php b/src/socialite/src/Two/FacebookProvider.php
@@ -44,7 +44,7 @@ class FacebookProvider extends AbstractProvider implements ProviderInterface
      */
     protected bool $reRequest = false;
 
-    protected function getAuthUrl(string $state): string
+    protected function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase('https://www.facebook.com/' . $this->getGraphVersion() . '/dialog/oauth', $state);
     }
diff --git a/src/socialite/src/Two/GithubProvider.php b/src/socialite/src/Two/GithubProvider.php
@@ -15,7 +15,7 @@ class GithubProvider extends AbstractProvider implements ProviderInterface
      */
     protected array $scopes = ['user:email'];
 
-    protected function getAuthUrl(string $state): string
+    protected function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase('https://github.com/login/oauth/authorize', $state);
     }
diff --git a/src/socialite/src/Two/GitlabProvider.php b/src/socialite/src/Two/GitlabProvider.php
@@ -35,7 +35,7 @@ public function setHost(?string $host): static
         return $this;
     }
 
-    protected function getAuthUrl(string $state): string
+    protected function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase($this->host . '/oauth/authorize', $state);
     }
diff --git a/src/socialite/src/Two/GoogleProvider.php b/src/socialite/src/Two/GoogleProvider.php
@@ -23,7 +23,7 @@ class GoogleProvider extends AbstractProvider implements ProviderInterface
         'email',
     ];
 
-    protected function getAuthUrl(string $state): string
+    protected function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase('https://accounts.google.com/o/oauth2/auth', $state);
     }
diff --git a/src/socialite/src/Two/LinkedInOpenIdProvider.php b/src/socialite/src/Two/LinkedInOpenIdProvider.php
@@ -18,7 +18,7 @@ class LinkedInOpenIdProvider extends AbstractProvider implements ProviderInterfa
      */
     protected string $scopeSeparator = ' ';
 
-    protected function getAuthUrl(string $state): string
+    protected function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase('https://www.linkedin.com/oauth/v2/authorization', $state);
     }
diff --git a/src/socialite/src/Two/LinkedInProvider.php b/src/socialite/src/Two/LinkedInProvider.php
@@ -19,7 +19,7 @@ class LinkedInProvider extends AbstractProvider implements ProviderInterface
      */
     protected string $scopeSeparator = ' ';
 
-    protected function getAuthUrl(string $state): string
+    protected function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase('https://www.linkedin.com/oauth/v2/authorization', $state);
     }
diff --git a/src/socialite/src/Two/OpenIdProvider.php b/src/socialite/src/Two/OpenIdProvider.php
@@ -45,11 +45,44 @@ abstract protected function getBaseUrl(): string;
      */
     public function redirect(): ResponseInterface
     {
+        $state = null;
+        $nonce = null;
+
+        if ($this->usesState()) {
+            $this->request->session()->put('state', $state = $this->getState());
+        }
+
+        if ($this->usesPKCE()) {
+            $this->request->session()->put('code_verifier', $this->getCodeVerifier());
+        }
+
         if ($this->usesNonce()) {
-            $this->request->session()->put('nonce', $this->getNonce());
+            $this->request->session()->put('nonce', $nonce = $this->getNonce());
         }
 
-        return parent::redirect();
+        return $this->response->redirect(
+            $this->getAuthUrl($state, $nonce)
+        );
+    }
+
+    /**
+     * Get the authentication URL for the provider.
+     */
+    protected function getAuthUrl(?string $state, ?string $nonce = null): string
+    {
+        return $this->buildAuthUrlFromBase(
+            $this->getOpenIdConfig()['authorization_endpoint'],
+            $state,
+            $nonce
+        );
+    }
+
+    /**
+     * Build the authentication URL for the provider from the given base URL.
+     */
+    protected function buildAuthUrlFromBase(string $url, ?string $state, ?string $nonce = null): string
+    {
+        return $url . '?' . http_build_query($this->getCodeFields($state, $nonce), '', '&', $this->encodingType);
     }
 
     /**
@@ -76,26 +109,15 @@ protected function getJwksUri(): string
         return $this->getOpenIdConfig()['jwks_uri'];
     }
 
-    /**
-     * Get the authentication URL for the provider.
-     */
-    protected function getAuthUrl(string $state): string
-    {
-        return $this->buildAuthUrlFromBase(
-            $this->getOpenIdConfig()['authorization_endpoint'],
-            $state
-        );
-    }
-
     /**
      * Get the GET parameters for the code request.
      */
-    protected function getCodeFields(?string $state = null): array
+    protected function getCodeFields(?string $state = null, ?string $nonce = null): array
     {
         $fields = parent::getCodeFields($state);
 
-        if ($this->usesState()) {
-            $fields['state'] = $state;
+        if ($this->usesNonce()) {
+            $fields['nonce'] = $nonce;
         }
 
         return $fields;
diff --git a/src/socialite/src/Two/SlackOpenIdProvider.php b/src/socialite/src/Two/SlackOpenIdProvider.php
@@ -19,7 +19,7 @@ class SlackOpenIdProvider extends AbstractProvider implements ProviderInterface
      */
     protected string $scopeSeparator = ' ';
 
-    protected function getAuthUrl(string $state): string
+    protected function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase('https://slack.com/openid/connect/authorize', $state);
     }
diff --git a/src/socialite/src/Two/SlackProvider.php b/src/socialite/src/Two/SlackProvider.php
@@ -47,7 +47,7 @@ protected function setScopeKey(string $scopeKey): static
         return $this;
     }
 
-    public function getAuthUrl(string $state): string
+    public function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase('https://slack.com/oauth/v2/authorize', $state);
     }
diff --git a/src/socialite/src/Two/TwitchProvider.php b/src/socialite/src/Two/TwitchProvider.php
@@ -19,7 +19,7 @@ class TwitchProvider extends AbstractProvider implements ProviderInterface
      */
     protected string $scopeSeparator = ' ';
 
-    protected function getAuthUrl(string $state): string
+    protected function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase('https://id.twitch.tv/oauth2/authorize', $state);
     }
diff --git a/src/socialite/src/Two/XProvider.php b/src/socialite/src/Two/XProvider.php
@@ -29,7 +29,7 @@ class XProvider extends AbstractProvider implements ProviderInterface
      */
     protected int $encodingType = PHP_QUERY_RFC3986;
 
-    public function getAuthUrl(string $state): string
+    public function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase('https://x.com/i/oauth2/authorize', $state);
     }
diff --git a/tests/Socialite/Fixtures/GoogleTestProviderStub.php b/tests/Socialite/Fixtures/GoogleTestProviderStub.php
@@ -16,7 +16,7 @@ class GoogleTestProviderStub extends GoogleProvider
      */
     public $http;
 
-    protected function getAuthUrl(string $state): string
+    protected function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase('http://auth.url', $state);
     }
diff --git a/tests/Socialite/Fixtures/OAuthTwoTestProviderStub.php b/tests/Socialite/Fixtures/OAuthTwoTestProviderStub.php
@@ -16,7 +16,7 @@ class OAuthTwoTestProviderStub extends AbstractProvider
      */
     public $http;
 
-    protected function getAuthUrl(string $state): string
+    protected function getAuthUrl(?string $state): string
     {
         return $this->buildAuthUrlFromBase('http://auth.url', $state);
     }
diff --git a/tests/Socialite/Fixtures/OpenIdTestProviderStub.php b/tests/Socialite/Fixtures/OpenIdTestProviderStub.php
@@ -21,9 +21,9 @@ protected function getBaseUrl(): string
         return 'http://base.url';
     }
 
-    protected function getAuthUrl(string $state): string
+    protected function getAuthUrl(?string $state, ?string $nonce = null): string
     {
-        return $this->buildAuthUrlFromBase('http://auth.url', $state);
+        return $this->buildAuthUrlFromBase('http://auth.url', $state, $nonce);
     }
 
     protected function getTokenUrl(): string
diff --git a/tests/Socialite/OpenIdProviderTest.php b/tests/Socialite/OpenIdProviderTest.php
@@ -56,8 +56,8 @@ public function testRedirectGeneratesTheProperRedirectResponseWithoutPKCE()
         $response = m::mock(ResponseContract::class);
         $response->shouldReceive('redirect')
             ->once()
-            ->with(m::on(function ($url) use (&$state) {
-                return $url === "http://auth.url?client_id=client_id&redirect_uri=redirect&scope=&response_type=code&state={$state}";
+            ->with(m::on(function ($url) use (&$state, &$nonce) {
+                return $url === "http://auth.url?client_id=client_id&redirect_uri=redirect&scope=&response_type=code&state={$state}&nonce={$nonce}";
             }))->andReturn($redirectResponse = m::mock(ResponseInterface::class));
 
         $session->expects('put')->twice()->withArgs($closure);

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ class BitbucketProvider extends AbstractProvider implements ProviderInterface`
`20`	`20`	`*/`
`21`	`21`	`protected string $scopeSeparator = ' ';`
`22`	`22`
`23`		`- protected function getAuthUrl(string $state): string`
	`23`	`+ protected function getAuthUrl(?string $state): string`
`24`	`24`	`{`
`25`	`25`	`return $this->buildAuthUrlFromBase('https://bitbucket.org/site/oauth2/authorize', $state);`
`26`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ class FacebookProvider extends AbstractProvider implements ProviderInterface`
`44`	`44`	`*/`
`45`	`45`	`protected bool $reRequest = false;`
`46`	`46`
`47`		`- protected function getAuthUrl(string $state): string`
	`47`	`+ protected function getAuthUrl(?string $state): string`
`48`	`48`	`{`
`49`	`49`	`return $this->buildAuthUrlFromBase('https://www.facebook.com/' . $this->getGraphVersion() . '/dialog/oauth', $state);`
`50`	`50`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ class GithubProvider extends AbstractProvider implements ProviderInterface`
`15`	`15`	`*/`
`16`	`16`	`protected array $scopes = ['user:email'];`
`17`	`17`
`18`		`- protected function getAuthUrl(string $state): string`
	`18`	`+ protected function getAuthUrl(?string $state): string`
`19`	`19`	`{`
`20`	`20`	`return $this->buildAuthUrlFromBase('https://github.com/login/oauth/authorize', $state);`
`21`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ public function setHost(?string $host): static`
`35`	`35`	`return $this;`
`36`	`36`	`}`
`37`	`37`
`38`		`- protected function getAuthUrl(string $state): string`
	`38`	`+ protected function getAuthUrl(?string $state): string`
`39`	`39`	`{`
`40`	`40`	`return $this->buildAuthUrlFromBase($this->host . '/oauth/authorize', $state);`
`41`	`41`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ class GoogleProvider extends AbstractProvider implements ProviderInterface`
`23`	`23`	`'email',`
`24`	`24`	`];`
`25`	`25`
`26`		`- protected function getAuthUrl(string $state): string`
	`26`	`+ protected function getAuthUrl(?string $state): string`
`27`	`27`	`{`
`28`	`28`	`return $this->buildAuthUrlFromBase('https://accounts.google.com/o/oauth2/auth', $state);`
`29`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ class LinkedInOpenIdProvider extends AbstractProvider implements ProviderInterfa`
`18`	`18`	`*/`
`19`	`19`	`protected string $scopeSeparator = ' ';`
`20`	`20`
`21`		`- protected function getAuthUrl(string $state): string`
	`21`	`+ protected function getAuthUrl(?string $state): string`
`22`	`22`	`{`
`23`	`23`	`return $this->buildAuthUrlFromBase('https://www.linkedin.com/oauth/v2/authorization', $state);`
`24`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ class LinkedInProvider extends AbstractProvider implements ProviderInterface`
`19`	`19`	`*/`
`20`	`20`	`protected string $scopeSeparator = ' ';`
`21`	`21`
`22`		`- protected function getAuthUrl(string $state): string`
	`22`	`+ protected function getAuthUrl(?string $state): string`
`23`	`23`	`{`
`24`	`24`	`return $this->buildAuthUrlFromBase('https://www.linkedin.com/oauth/v2/authorization', $state);`
`25`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ class SlackOpenIdProvider extends AbstractProvider implements ProviderInterface`
`19`	`19`	`*/`
`20`	`20`	`protected string $scopeSeparator = ' ';`
`21`	`21`
`22`		`- protected function getAuthUrl(string $state): string`
	`22`	`+ protected function getAuthUrl(?string $state): string`
`23`	`23`	`{`
`24`	`24`	`return $this->buildAuthUrlFromBase('https://slack.com/openid/connect/authorize', $state);`
`25`	`25`	`}`