feat(login) Redirect after login

r4id4h · r4id4h · commit 834856402cda · 2025-08-10T16:04:41.000+02:00
diff --git a/src/runtime/server/handler/callback.ts b/src/runtime/server/handler/callback.ts
@@ -30,6 +30,12 @@ function callbackEventHandler({ onSuccess }: OAuthConfig<UserSession>) {
     const session = await useAuthSession(event, config.sessionConfiguration?.maxAuthSessionAge)
 
     const { code, state, id_token, admin_consent, error, error_description }: { code: string; state: string; id_token: string; admin_consent: string; error: string; error_description: string } = event.method === 'POST' ? await readBody(event) : getQuery(event)
+    let stateObj: { token: string; additionalClientAuthParameters: Record<string, string> } | null = null;
+    try {
+      stateObj = typeof state === "string" ? JSON.parse(state) : state;
+    } catch {
+      stateObj = null;
+    }
 
     // Check for admin consent callback
     if (admin_consent) {
@@ -57,7 +63,7 @@ function callbackEventHandler({ onSuccess }: OAuthConfig<UserSession>) {
     }
 
     // Check for valid state
-    if (config.state && (state !== session.data.state)) {
+    if (config.state && (stateObj?.token! !== session.data.state.token!)) {
       oidcErrorHandler(event, 'State mismatch')
     }
 
@@ -215,7 +221,8 @@ function callbackEventHandler({ onSuccess }: OAuthConfig<UserSession>) {
     deleteCookie(event, 'oidc')
     return onSuccess(event, {
       user,
-      callbackRedirectUrl: config.callbackRedirectUrl as string,
+      callbackRedirectUrl: (stateObj?.additionalClientAuthParameters?.redirectUriOverride ??
+        (config.callbackRedirectUrl as string)),
     })
   })
 }
diff --git a/src/runtime/server/handler/login.get.ts b/src/runtime/server/handler/login.get.ts
@@ -25,13 +25,6 @@ function loginEventHandler() {
     // Initialize auth session
     const session = await useAuthSession(event, config.sessionConfiguration?.maxAuthSessionAge)
     await session.clear()
-    await session.update({
-      state: generateRandomUrlSafeString(),
-      codeVerifier: generatePkceVerifier(),
-      referer: getRequestHeader(event, 'referer'),
-      nonce: undefined,
-    })
-
     // Get client side query parameters
     const additionalClientAuthParameters: Record<string, string> = {}
     if (config.allowedClientAuthParameters?.length) {
@@ -43,6 +36,18 @@ function loginEventHandler() {
       })
     }
 
+    const state = {
+      token: generateRandomUrlSafeString(),
+      additionalClientAuthParameters: additionalClientAuthParameters
+    }
+
+    await session.update({
+      state,
+      codeVerifier: generatePkceVerifier(),
+      referer: getRequestHeader(event, 'referer'),
+      nonce: undefined,
+    })
+
     let clientRedirectUri: string | undefined
     if (config.allowedCallbackRedirectUrls?.length) {
       const clientQueryParams = getQuery(event)
