refactor!: remove auto generate state logic

mt-max · mt-max · commit c68d22331c17 · 2020-11-11T14:52:32.000+09:00
BREAKING CHANGE: No more auto generate state on init to be used in `authorize`
and `onboard` API. There will be no default `state` and you will have to pass
one via the APIs' options parameter if you need one.
diff --git a/docs/README.md b/docs/README.md
@@ -84,7 +84,7 @@ mtLinkSdk.authorize(options);
 | <span id="api-authorize_options">options</span> | object | false | Value set during `init`. | Optional parameters as described in [common options](#common-api-options). |
 | options.scopes | string <p><strong>OR</strong></p> string[] | false | Value set during `init`.<p><strong>OR</strong></p>`guest_read` | Access scopes you're requesting. This can be a single scope, or an array of scopes.<br /><br />Currently supported scopes are:<br />`guest_read`, `accounts_read`, `points_read`, `point_transactions_read`, `transactions_read`, `transactions_write`, `expense_claims_read`, `categories_read`, `investment_accounts_read`, `investment_transactions_read`, `notifications_read`, `request_refresh`, `life_insurance_read`. |
 | options.redirectUri | string | false | Value set during `init`. | OAuth redirection URI, refer [here](https://www.oauth.com/oauth2-servers/redirect-uris/) for more details.<br /><br /><strong>NOTE:</strong> This function will throw an error if this value is undefined <strong>and</strong> no default value was provided in the [init options](?id=api-init_options). |
-| options.state | string | false | Value set during `init`.<p><strong>OR</strong></p>Randomly generated [uuid](<https://en.wikipedia.org/wiki/Universally_unique_identifier#Version_4_(random)>). | Refer [here](https://auth0.com/docs/protocols/oauth2/oauth-state) for more details.<br /><br /><strong>NOTE:</strong> Make sure to set this value explicitly if your server generates an identifier for the OAuth authorization request so that you can use to acquire the access token after the OAuth redirect occurs. |
+| options.state | string | false | You can pass in an optional value here during OAuth authorization request and validate the value is still same after an OAuth redirection. [Click here](https://tools.ietf.org/html/rfc6749#section-4.1.1)|
 | options.codeVerifier | string | false | Value set during `init`. | We only support SHA256, therefore this `codeVerifier` will be used to generate the `code_challenge` using the SHA256 hash algorithm. [Click here](https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce) for more details.</p><strong>NOTE:</strong> Make sure to set this value explicitly if your server generates an identifier for the OAuth authorization request so that you can use to acquire the access token after the OAuth redirect occurs. |
 | <span id="authorize_option_force_logout">options.forceLogout</span> | boolean | false | `false` | Force existing guest session to logout and call authorize with a clean state. |
 | options.country | `AU`, ` JP` | false | Value set during `init`. | Server location for the guest to login or sign up. If you wish to restrict your guest to only one country, make sure to set this value.<br /><br /><strong>NOTE:</strong> For apps created after 2020-07-08, the sign up form will display a country selection dropdown for the guest to select a country when this value is undefined or invalid. |
@@ -117,9 +117,7 @@ mtLinkSdk.onboard(options)
 
 Since we are using PKCE/Code grant, we will have to exchange the `code` for a token. You can optionally pass `code` via options parameter or it will fallback to automatically extract it from the browser URL.
 
-Options for the `state`, `codeVerifier` and `onboard` calls will use the default value from `init`, however if you explicitly pass a new value when calling `authorize` or `onboard` via the options parameter, make sure to reuse the same value when calling this API, otherwise the authentication server will throw an error due to a value mismatch.
-
-If there is a `state` passed via this API option (or it exists in the URL), it will be used internally to compare to the `state` used in the previous `authorize` or `onboard` call during the same session. This API will throw an error when states do not match. Refer [here](https://auth0.com/docs/protocols/oauth2/oauth-state) for more details.
+Options for the, `codeVerifier` and `onboard` calls will use the default value from `init`, however if you explicitly pass a new value when calling `authorize` or `onboard` via the options parameter, make sure to reuse the same value when calling this API, otherwise the authentication server will throw an error due to a value mismatch.
 
 `code` will be invalidated (can be used only once) after exchanged for a token, it is your responsibility to store the token yourself as the SDK does not store it internally.
 
@@ -140,7 +138,6 @@ const token = await mtLinkSdk.exchangeToken(options);
 | - | - | - | - | - |
 | options | object | false | Value set during `init`. | Optional parameters. |
 | options.code | string | false | Value from browser URL | Code from OAuth redirection used to exchange for a token, SDK will try to extract it from the browser URL if none is provided.<br /><br /><strong>NOTE:</strong> SDK will throw an error if no value is provided here and the client library failed to extract it from browser URL. |
-| options.state | string | false | Value set during `init`. | Make sure the value of `state` here is the same state value used during the `authorize` or `onboard` call. |
 | options.codeVerifier | string | false | Value set during `init`. | Make sure the value of `codeVerifier` here is the same codeVerifier value used during the `authorize` or `onboard` call. |
 | options.redirectUri | string | false | Value set during `init`. | Make sure the value of `redirectUri` here is the same redirectUri value used during the `authorize` or `onboard` call.<br /><br /><strong>NOTE:</strong> The SDK will throw an error if both this parameter and the default value from the [init options](?id=api-init_options) are undefined. |
 
diff --git a/package.json b/package.json
@@ -26,8 +26,7 @@
     "node-fetch": "^2.6.1",
     "qs": "^6.9.4",
     "snake-case": "^3.0.3",
-    "url-safe-base64": "^1.1.1",
-    "uuid": "^8.3.1"
+    "url-safe-base64": "^1.1.1"
   },
   "devDependencies": {
     "@commitlint/cli": "^11.0.0",
@@ -37,7 +36,6 @@
     "@types/node-fetch": "^2.5.4",
     "@types/qs": "^6.9.5",
     "@types/url-safe-base64": "^1.1.0",
-    "@types/uuid": "^8.3.0",
     "@typescript-eslint/eslint-plugin": "^4.5.0",
     "@typescript-eslint/parser": "^4.5.0",
     "conventional-changelog-cli": "^2.1.0",
diff --git a/src/api/__tests__/authorize.test.ts b/src/api/__tests__/authorize.test.ts
@@ -40,7 +40,6 @@ describe('api', () => {
       open.mockClear();
 
       const codeVerifier = 'codeVerifier';
-      const state = 'state';
       const country = 'JP';
       const scopes = 'points_read';
       const cobrandClientId = 'cobrandClientId';
@@ -49,7 +48,6 @@ describe('api', () => {
       const mtLinkSdk = new MtLinkSdk();
       mtLinkSdk.init(clientId, {
         redirectUri,
-        state,
         codeVerifier,
         country,
         scopes,
@@ -69,16 +67,14 @@ describe('api', () => {
         redirect_uri: redirectUri,
         code_challenge: 'N1E4yRMD7xixn_oFyO_W3htYN3rY7-HMDKJe6z6r928',
         code_challenge_method: 'S256',
-        state,
         country,
         locale,
         configs: generateConfigs(),
       });
       const url = `${MY_ACCOUNT_DOMAINS.production}/oauth/authorize?${query}`;
       expect(open).toBeCalledWith(url, '_self');
 
-      expect(mockedStorage.set).toBeCalledTimes(2);
-      expect(mockedStorage.set).toBeCalledWith('state', state);
+      expect(mockedStorage.set).toBeCalledTimes(1);
       expect(mockedStorage.set).toBeCalledWith('codeVerifier', codeVerifier);
     });
 
@@ -118,8 +114,7 @@ describe('api', () => {
       const url = `${MY_ACCOUNT_DOMAINS.production}/oauth/authorize?${query}`;
       expect(open).toBeCalledWith(url, '_self');
 
-      expect(mockedStorage.set).toBeCalledTimes(4);
-      expect(mockedStorage.set).toBeCalledWith('state', state);
+      expect(mockedStorage.set).toBeCalledTimes(2);
       expect(mockedStorage.set).toBeCalledWith('codeVerifier', codeVerifier);
     });
 
diff --git a/src/api/__tests__/exchange-token.test.ts b/src/api/__tests__/exchange-token.test.ts
@@ -44,12 +44,6 @@ describe('api', () => {
       );
     });
 
-    test('state have to match if passed via options or extracted from url', async () => {
-      await expect(exchangeToken(mtLinkSdk.storedOptions, { code, state: 'test' })).rejects.toThrow(
-        '[mt-link-sdk] `state` does not matched, make sure to pass in the correct state used during `authorize` or `onboard` call'
-      );
-    });
-
     test('make request', async () => {
       fetch.mockClear();
 
diff --git a/src/api/__tests__/onboard.test.ts b/src/api/__tests__/onboard.test.ts
@@ -68,7 +68,6 @@ describe('api', () => {
       open.mockClear();
 
       const codeVerifier = 'codeVerifier';
-      const state = 'state';
       const country = 'JP';
       const scopes = 'points_read';
       const cobrandClientId = 'cobrandClientId';
@@ -77,7 +76,6 @@ describe('api', () => {
       const mtLinkSdk = new MtLinkSdk();
       mtLinkSdk.init(clientId, {
         redirectUri,
-        state,
         codeVerifier,
         country,
         scopes,
@@ -98,16 +96,14 @@ describe('api', () => {
         redirect_uri: redirectUri,
         code_challenge: 'N1E4yRMD7xixn_oFyO_W3htYN3rY7-HMDKJe6z6r928',
         code_challenge_method: 'S256',
-        state,
         country,
         locale,
         configs: generateConfigs({ email }),
       });
       const url = `${MY_ACCOUNT_DOMAINS.production}/onboard?${query}`;
       expect(open).toBeCalledWith(url, '_self');
 
-      expect(mockedStorage.set).toBeCalledTimes(2);
-      expect(mockedStorage.set).toBeCalledWith('state', state);
+      expect(mockedStorage.set).toBeCalledTimes(1);
       expect(mockedStorage.set).toBeCalledWith('codeVerifier', codeVerifier);
     });
 
@@ -148,8 +144,7 @@ describe('api', () => {
       const url = `${MY_ACCOUNT_DOMAINS.production}/onboard?${query}`;
       expect(open).toBeCalledWith(url, '_self');
 
-      expect(mockedStorage.set).toBeCalledTimes(4);
-      expect(mockedStorage.set).toBeCalledWith('state', state);
+      expect(mockedStorage.set).toBeCalledTimes(2);
       expect(mockedStorage.set).toBeCalledWith('codeVerifier', codeVerifier);
     });
 
diff --git a/src/api/authorize.ts b/src/api/authorize.ts
@@ -22,7 +22,6 @@ export default function authorize(
     locale,
     scopes: defaultScopes,
     redirectUri: defaultRedirectUri,
-    state: defaultState,
     codeVerifier: defaultCodeVerifier,
     country: defaultCountry,
   } = storedOptions;
@@ -34,18 +33,13 @@ export default function authorize(
   const {
     scopes = defaultScopes,
     redirectUri = defaultRedirectUri,
-    state = defaultState,
     codeVerifier = defaultCodeVerifier,
     country = defaultCountry,
     isNewTab,
+    state,
     ...rest
   } = options;
 
-  // update state
-  if (state !== defaultState) {
-    storage.set('state', state);
-  }
-
   // update codeVerifier
   if (codeVerifier !== defaultCodeVerifier) {
     storage.set('codeVerifier', codeVerifier);
diff --git a/src/api/exchange-token.ts b/src/api/exchange-token.ts
@@ -3,20 +3,17 @@ import qs from 'qs';
 import { MY_ACCOUNT_DOMAINS } from '../server-paths';
 import { StoredOptions, ExchangeTokenOptions } from '../typings';
 
-function getCodeAndState(): { code?: string; state?: string } {
+function getCode(): string | undefined {
   // not available in node environment
   if (!window) {
-    return {};
+    return;
   }
 
-  const { code, state } = qs.parse(window.location.search, {
+  const { code } = qs.parse(window.location.search, {
     ignoreQueryPrefix: true,
   });
 
-  return {
-    code: (Array.isArray(code) ? code[code.length - 1] : code) as string,
-    state: (Array.isArray(state) ? state[state.length - 1] : state) as string,
-  };
+  return (Array.isArray(code) ? code[code.length - 1] : code) as string | undefined;
 }
 
 export default async function exchangeToken(
@@ -26,7 +23,6 @@ export default async function exchangeToken(
   const {
     clientId,
     redirectUri: defaultRedirectUri,
-    state: defaultState,
     mode,
     codeVerifier: defaultCodeVerifier,
   } = storedOptions;
@@ -35,13 +31,10 @@ export default async function exchangeToken(
     throw new Error('[mt-link-sdk] Make sure to call `init` before calling `exchangeToken`.');
   }
 
-  const { code: extractedCode, state: extractedState } = getCodeAndState();
-
   const {
     redirectUri = defaultRedirectUri,
-    state = extractedState,
     codeVerifier = defaultCodeVerifier,
-    code = extractedCode,
+    code = getCode(),
   } = options;
 
   if (!code) {
@@ -50,12 +43,6 @@ export default async function exchangeToken(
     );
   }
 
-  if (state && defaultState !== state) {
-    throw new Error(
-      '[mt-link-sdk] `state` does not matched, make sure to pass in the correct state used during `authorize` or `onboard` call'
-    );
-  }
-
   if (!redirectUri) {
     throw new Error(
       '[mt-link-sdk] Missing option `redirectUri` in `exchangeToken`, make sure to pass one via `exchangeToken` options or `init` options.'
diff --git a/src/api/onboard.ts b/src/api/onboard.ts
@@ -19,7 +19,6 @@ export default function onboard(storedOptions: StoredOptions, options: OnboardOp
     locale,
     scopes: defaultScopes,
     redirectUri: defaultRedirectUri,
-    state: defaultState,
     codeVerifier: defaultCodeVerifier,
     country: defaultCountry,
   } = storedOptions;
@@ -31,10 +30,10 @@ export default function onboard(storedOptions: StoredOptions, options: OnboardOp
   const {
     scopes = defaultScopes,
     redirectUri = defaultRedirectUri,
-    state = defaultState,
     codeVerifier = defaultCodeVerifier,
     country = defaultCountry,
     isNewTab,
+    state,
     ...rest
   } = options;
   const configs = mergeConfigs(storedOptions, rest, [
@@ -46,11 +45,6 @@ export default function onboard(storedOptions: StoredOptions, options: OnboardOp
 
   const { email } = configs;
 
-  // update state
-  if (state !== defaultState) {
-    storage.set('state', state);
-  }
-
   // update codeVerifier
   if (codeVerifier !== defaultCodeVerifier) {
     storage.set('codeVerifier', codeVerifier);
diff --git a/src/index.ts b/src/index.ts
@@ -1,5 +1,3 @@
-import { v4 as uuid } from 'uuid';
-
 import authorize from './api/authorize';
 import onboard from './api/onboard';
 import logout from './api/logout';
@@ -28,7 +26,6 @@ const validModes: Mode[] = ['production', 'staging', 'develop', 'local'];
 export class MtLinkSdk {
   public storedOptions: StoredOptions = {
     mode: 'production',
-    state: storage.get('state') || uuid(),
     codeVerifier: storage.get('codeVerifier') || '',
   };
 
@@ -47,7 +44,6 @@ export class MtLinkSdk {
       mode: validModes.indexOf(mode) === -1 ? 'production' : mode,
     };
 
-    storage.set('state', this.storedOptions.state);
     storage.set('codeVerifier', this.storedOptions.codeVerifier);
   }
 
diff --git a/src/typings.ts b/src/typings.ts
@@ -80,7 +80,6 @@ export interface StoredOptions extends InitOptions {
   clientId?: string;
   mode: Mode;
   codeVerifier: string;
-  state: string;
 }
 
 export interface ExchangeTokenOptions extends OAuthSharedParams {
diff --git a/yarn.lock b/yarn.lock
@@ -858,11 +858,6 @@
   resolved "https://registry.yarnpkg.com/@types/url-safe-base64/-/url-safe-base64-1.1.0.tgz#90d35b9432164896a9d5b3d43bb88fb2ef86f2e2"
   integrity sha512-cVZIEorjpbV8NgdodMXyLItd9q0wT4k075a2F5Ew5L/zwB80rLIGhb7Owo17le0hhnZcJXizxc7hHdTs1or51A==
 
-"@types/uuid@^8.3.0":
-  version "8.3.0"
-  resolved "https://registry.yarnpkg.com/@types/uuid/-/uuid-8.3.0.tgz#215c231dff736d5ba92410e6d602050cce7e273f"
-  integrity sha512-eQ9qFW/fhfGJF8WKHGEHZEyVWfZxrT+6CLIJGBcZPfxUh/+BnEj+UCGYMlr9qZuX/2AltsvwrGqp0LhEW8D0zQ==
-
 "@types/yargs-parser@*":
   version "15.0.0"
   resolved "https://registry.yarnpkg.com/@types/yargs-parser/-/yargs-parser-15.0.0.tgz#cb3f9f741869e20cce330ffbeb9271590483882d"
@@ -7658,7 +7653,7 @@ uuid@^3.3.2:
   resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.4.0.tgz#b23e4358afa8a202fe7a100af1f5f883f02007ee"
   integrity sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==
 
-uuid@^8.3.0, uuid@^8.3.1:
+uuid@^8.3.0:
   version "8.3.1"
   resolved "https://registry.yarnpkg.com/uuid/-/uuid-8.3.1.tgz#2ba2e6ca000da60fce5a196954ab241131e05a31"
   integrity sha512-FOmRr+FmWEIG8uhZv6C2bTgEVXsHk08kE7mPlrBbEe+c3r9pjceVPgupIfNIhc4yx55H69OXANrUaSuu9eInKg==

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,6 @@ export interface StoredOptions extends InitOptions {`
`80`	`80`	`clientId?: string;`
`81`	`81`	`mode: Mode;`
`82`	`82`	`codeVerifier: string;`
`83`		`- state: string;`
`84`	`83`	`}`
`85`	`84`
`86`	`85`	`export interface ExchangeTokenOptions extends OAuthSharedParams {`