fix(oauth): properly set state when creating the redirect URL (#1592)

Author: brendt

packages/auth/src/OAuth/GenericOAuthClient.php

@@ -62,9 +62,11 @@ public function buildAuthorizationUrl(array $scopes = [], array $options = []):
 
     public function createRedirect(array $scopes = [], array $options = []): Redirect
     {
+        $to = $this->buildAuthorizationUrl();
+
         $this->session->set($this->sessionKey, $this->provider->getState());
 
-        return new Redirect($this->buildAuthorizationUrl());
+        return new Redirect($to);
     }
 
     public function getState(): ?string

tests/Integration/Auth/OAuth/GenericOAuthClientTest.php

@@ -7,6 +7,7 @@
 use Tempest\Auth\OAuth\Config\GitHubOAuthConfig;
 use Tempest\Auth\OAuth\GenericOAuthClient;
 use Tempest\Auth\OAuth\OAuthClient;
+use Tempest\Http\Session\Session;
 use Tests\Tempest\Integration\FrameworkIntegrationTestCase;
 
 final class GenericOAuthClientTest extends FrameworkIntegrationTestCase
@@ -31,4 +32,24 @@ public function throws_when_no_config(): void
 
         $this->container->get(OAuthClient::class);
     }
+
+    #[Test]
+    public function state_is_set_when_redirect_is_created(): void
+    {
+        $this->container->config(new GitHubOAuthConfig(
+            clientId: 'client-id',
+            clientSecret: 'client-secret', // @mago-expect lint:no-literal-password
+            redirectTo: '/oauth/callback',
+            scopes: ['user:email'],
+        ));
+
+        /** @var GenericOAuthClient $oauth */
+        $oauth = $this->container->get(OAuthClient::class);
+
+        $oauth->createRedirect();
+
+        $session = $this->container->get(Session::class);
+
+        $this->assertNotNull($session->get($oauth->sessionKey));
+    }
 }