refactor(auth): clear oauth state after validation

xHeaven · xHeaven · commit 4335c65b564d · 2025-12-03T08:23:47.000+01:00
diff --git a/packages/auth/src/OAuth/GenericOAuthClient.php b/packages/auth/src/OAuth/GenericOAuthClient.php
@@ -100,7 +100,12 @@ public function fetchUser(AccessToken $token): OAuthUser
 
     public function authenticate(Request $request, Closure $map): Authenticatable
     {
-        if ($this->session->get($this->sessionKey) !== $request->get('state')) {
+        $expectedState = $this->session->get($this->sessionKey);
+        $actualState = $request->get('state');
+
+        $this->session->remove($this->sessionKey);
+
+        if ($expectedState !== $actualState) {
             throw new OAuthStateWasInvalid();
         }
 

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,12 @@ public function fetchUser(AccessToken $token): OAuthUser`
`100`	`100`
`101`	`101`	`public function authenticate(Request $request, Closure $map): Authenticatable`
`102`	`102`	`{`
`103`		`- if ($this->session->get($this->sessionKey) !== $request->get('state')) {`
	`103`	`+ $expectedState = $this->session->get($this->sessionKey);`
	`104`	`+ $actualState = $request->get('state');`
	`105`	`+`
	`106`	`+ $this->session->remove($this->sessionKey);`
	`107`	`+`
	`108`	`+ if ($expectedState !== $actualState) {`
`104`	`109`	`throw new OAuthStateWasInvalid();`
`105`	`110`	`}`
`106`	`111`