refactor(auth): clear oauth state after validation (#1754)

xHeaven · web-flow · commit c5db557a7ba3 · 2025-12-03T23:00:56.000+01:00
diff --git a/packages/auth/src/OAuth/GenericOAuthClient.php b/packages/auth/src/OAuth/GenericOAuthClient.php
@@ -100,7 +100,12 @@ public function fetchUser(AccessToken $token): OAuthUser
 
     public function authenticate(Request $request, Closure $map): Authenticatable
     {
-        if ($this->session->get($this->sessionKey) !== $request->get('state')) {
+        $expectedState = $this->session->get($this->sessionKey);
+        $actualState = $request->get('state');
+
+        $this->session->remove($this->sessionKey);
+
+        if ($expectedState !== $actualState) {
             throw new OAuthStateWasInvalid();
         }
 
diff --git a/packages/auth/src/OAuth/Testing/TestingOAuthClient.php b/packages/auth/src/OAuth/Testing/TestingOAuthClient.php
@@ -9,6 +9,7 @@
 use PHPUnit\Framework\Assert;
 use Tempest\Auth\Authentication\Authenticatable;
 use Tempest\Auth\Authentication\Authenticator;
+use Tempest\Auth\Exceptions\OAuthStateWasInvalid;
 use Tempest\Auth\OAuth\OAuthClient;
 use Tempest\Auth\OAuth\OAuthConfig;
 use Tempest\Auth\OAuth\OAuthUser;
@@ -124,6 +125,15 @@ public function createRedirect(array $scopes = [], array $options = []): Redirec
 
     public function authenticate(Request $request, Closure $map): Authenticatable
     {
+        $expectedState = $this->state;
+        $actualState = $request->get('state');
+
+        $this->state = null;
+
+        if ($expectedState !== $actualState) {
+            throw new OAuthStateWasInvalid();
+        }
+
         $user = $this->fetchUser($this->requestAccessToken($request->get('code')));
 
         $authenticatable = $map($user);
diff --git a/tests/Integration/Auth/OAuth/TestingOAuthClientTest.php b/tests/Integration/Auth/OAuth/TestingOAuthClientTest.php
@@ -5,6 +5,7 @@
 use PHPUnit\Framework\Attributes\Test;
 use PHPUnit\Framework\Attributes\TestWith;
 use Tempest\Auth\Authentication\Authenticatable;
+use Tempest\Auth\Exceptions\OAuthStateWasInvalid;
 use Tempest\Auth\OAuth\Config\GitHubOAuthConfig;
 use Tempest\Auth\OAuth\OAuthClient;
 use Tempest\Auth\OAuth\OAuthUser;
@@ -263,6 +264,69 @@ public function abstracted_flow(): void
         $this->assertEquals('Jane Developer', $user->full_name);
         $this->assertEquals('janedev', $user->username);
     }
+
+    #[Test]
+    public function state_is_cleared_after_authentication(): void
+    {
+        $this->database->reset(migrate: false);
+        $this->database->migrate(CreateMigrationsTable::class, CreateUsersTable::class);
+
+        $this->container->config(new GitHubOAuthConfig(
+            clientId: 'foo',
+            clientSecret: 'bar', // @mago-expect lint:no-literal-password
+            redirectTo: '/oauth/github',
+        ));
+
+        $client = $this->oauth->fake($this->user);
+
+        $client->createRedirect();
+
+        $this->assertNotNull($client->getState());
+
+        $request = new GenericRequest(
+            method: Method::GET,
+            uri: Uri\set_query('/oauth/callback', code: 'auth-code', state: $client->getState()),
+        );
+
+        $client->authenticate(
+            $request,
+            static fn (OAuthUser $user): User => query(User::class)->updateOrCreate(
+                ['github_id' => $user->id],
+                ['email' => $user->email ?? '', 'full_name' => $user->name ?? '', 'username' => $user->nickname ?? ''],
+            ),
+        );
+
+        $this->assertNull($client->getState());
+    }
+
+    #[Test]
+    public function state_is_cleared_even_when_validation_fails(): void
+    {
+        $this->container->config(new GitHubOAuthConfig(
+            clientId: 'foo',
+            clientSecret: 'bar', // @mago-expect lint:no-literal-password
+            redirectTo: '/oauth/github',
+        ));
+
+        $client = $this->oauth->fake($this->user);
+
+        $client->createRedirect();
+
+        $this->assertNotNull($client->getState());
+
+        $request = new GenericRequest(
+            method: Method::GET,
+            uri: Uri\set_query('/oauth/callback', code: 'auth-code', state: 'invalid-state'),
+        );
+
+        try {
+            $client->authenticate($request, static fn (OAuthUser $user): User => new User('', '', '', ''));
+        } catch (OAuthStateWasInvalid) {
+            // @mago-expect lint:no-empty-catch-clause
+        }
+
+        $this->assertNull($client->getState());
+    }
 }
 
 final class User implements Authenticatable

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,12 @@ public function fetchUser(AccessToken $token): OAuthUser`
`100`	`100`
`101`	`101`	`public function authenticate(Request $request, Closure $map): Authenticatable`
`102`	`102`	`{`
`103`		`- if ($this->session->get($this->sessionKey) !== $request->get('state')) {`
	`103`	`+ $expectedState = $this->session->get($this->sessionKey);`
	`104`	`+ $actualState = $request->get('state');`
	`105`	`+`
	`106`	`+ $this->session->remove($this->sessionKey);`
	`107`	`+`
	`108`	`+ if ($expectedState !== $actualState) {`
`104`	`109`	`throw new OAuthStateWasInvalid();`
`105`	`110`	`}`
`106`	`111`