From 4492691ce24b76a9b428dd4e16e89505df8e3301 Mon Sep 17 00:00:00 2001
From: Jeffrey Leon <jals1212@gmail.com>
Date: Thu, 6 Nov 2025 12:50:04 -0400
Subject: [PATCH] fix: update handlePkceVerifier to accept onlyConsume option
 for prevent code_challenge missing in authorize query

---
 src/runtime/server/lib/oauth/azureb2c.ts | 2 +-
 src/runtime/server/lib/oauth/kick.ts     | 2 +-
 src/runtime/server/lib/oauth/zitadel.ts  | 2 +-
 src/runtime/server/lib/utils.ts          | 7 ++++++-
 4 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/runtime/server/lib/oauth/azureb2c.ts b/src/runtime/server/lib/oauth/azureb2c.ts
index 71da9e28..03795c1b 100644
--- a/src/runtime/server/lib/oauth/azureb2c.ts
+++ b/src/runtime/server/lib/oauth/azureb2c.ts
@@ -81,7 +81,7 @@ export function defineOAuthAzureB2CEventHandler({ config, onSuccess, onError }:
     config.scope = [...new Set(config.scope)]
 
     // Create pkce verifier
-    const verifier = await handlePkceVerifier(event)
+    const verifier = await handlePkceVerifier(event, { onlyConsume: !!query.code })
     const state = await handleState(event)
 
     if (!query.code) {
diff --git a/src/runtime/server/lib/oauth/kick.ts b/src/runtime/server/lib/oauth/kick.ts
index 016efa56..901c5ac2 100644
--- a/src/runtime/server/lib/oauth/kick.ts
+++ b/src/runtime/server/lib/oauth/kick.ts
@@ -61,7 +61,7 @@ export function defineOAuthKickEventHandler({ config, onSuccess, onError }: OAut
     }
 
     // Create pkce verifier
-    const verifier = await handlePkceVerifier(event)
+    const verifier = await handlePkceVerifier(event, { onlyConsume: !!query.code })
 
     const redirectURL = config.redirectURL || getOAuthRedirectURL(event)
 
diff --git a/src/runtime/server/lib/oauth/zitadel.ts b/src/runtime/server/lib/oauth/zitadel.ts
index c2a85993..8fc353ea 100644
--- a/src/runtime/server/lib/oauth/zitadel.ts
+++ b/src/runtime/server/lib/oauth/zitadel.ts
@@ -70,7 +70,7 @@ export function defineOAuthZitadelEventHandler({ config, onSuccess, onError }: O
     const redirectURL = config.redirectURL || getOAuthRedirectURL(event)
 
     // Create pkce verifier
-    const verifier = await handlePkceVerifier(event)
+    const verifier = await handlePkceVerifier(event, { onlyConsume: !!query.code })
     const state = await handleState(event)
 
     if (!query.code) {
diff --git a/src/runtime/server/lib/utils.ts b/src/runtime/server/lib/utils.ts
index 699eda29..59ce6be7 100644
--- a/src/runtime/server/lib/utils.ts
+++ b/src/runtime/server/lib/utils.ts
@@ -181,10 +181,15 @@ function getRandomBytes(size: number = 32) {
   return getRandomValues(new Uint8Array(size))
 }
 
-export async function handlePkceVerifier(event: H3Event) {
+export async function handlePkceVerifier(
+  event: H3Event,
+  { onlyConsume }: { onlyConsume?: boolean } = {},
+) {
   let verifier = getCookie(event, 'nuxt-auth-pkce')
   if (verifier) {
     deleteCookie(event, 'nuxt-auth-pkce')
+  }
+  if (onlyConsume) {
     return { code_verifier: verifier }
   }