fix: added stateKey per Authentication target

n3rdc4ptn · n3rdc4ptn · commit 5f6787b4582e · 2025-07-10T13:08:08.000+02:00
diff --git a/server/plugins/auth-utils.js b/server/plugins/auth-utils.js
@@ -77,7 +77,10 @@ async function authUtilsPlugin(fastify) {
     };
   });
 
-  fastify.decorate('prepareOidcLoginRedirect', (request, oidcConfig, authorizationEndpoint) => {
+  fastify.decorate('prepareOidcLoginRedirect', (request, oidcConfig, authorizationEndpoint, stateKey) => {
+    if (stateKey === undefined) {
+      stateKey = 'oauthState';
+    }
     request.log.info('Preparing OIDC login redirect.');
 
     const { redirectTo } = request.query;
@@ -93,7 +96,7 @@ async function authUtilsPlugin(fastify) {
     const codeVerifier = crypto.randomBytes(32).toString('base64url');
     const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
 
-    request.encryptedSession.set('oauthState', state);
+    request.encryptedSession.set(stateKey, state);
     request.encryptedSession.set('codeVerifier', codeVerifier);
     request.log.info(
       {
@@ -117,7 +120,10 @@ async function authUtilsPlugin(fastify) {
     return url.toString();
   });
 
-  fastify.decorate('handleOidcCallback', async (request, oidcConfig, tokenEndpoint) => {
+  fastify.decorate('handleOidcCallback', async (request, oidcConfig, tokenEndpoint, stateKey) => {
+    if (stateKey === undefined) {
+      stateKey = 'oauthState';
+    }
     request.log.info('Handling OIDC callback to retrieve the tokens.');
 
     const { clientId, redirectUri } = oidcConfig;
@@ -127,7 +133,7 @@ async function authUtilsPlugin(fastify) {
       request.log.error('Missing authorization code in callback.');
       throw new AuthenticationError('Missing code in callback.');
     }
-    if (state !== request.encryptedSession.get('oauthState')) {
+    if (state !== request.encryptedSession.get(stateKey)) {
       request.log.error('Invalid state in callback.');
       throw new AuthenticationError('Invalid state in callback.');
     }
diff --git a/server/routes/auth-mcp.js b/server/routes/auth-mcp.js
@@ -1,6 +1,8 @@
 import fp from 'fastify-plugin';
 import { AuthenticationError } from '../plugins/auth-utils.js';
 
+const stateSessionKey = 'oauthStateMCP';
+
 async function authPlugin(fastify) {
   const { OIDC_ISSUER, OIDC_CLIENT_ID_MCP, OIDC_REDIRECT_URI, OIDC_SCOPES, POST_LOGIN_REDIRECT } = fastify.config;
 
@@ -18,6 +20,7 @@ async function authPlugin(fastify) {
         scopes: OIDC_SCOPES,
       },
       mcpIssuerConfiguration.authorizationEndpoint,
+      stateSessionKey,
     );
 
     return reply.redirect(redirectUri);
@@ -32,6 +35,7 @@ async function authPlugin(fastify) {
           redirectUri: OIDC_REDIRECT_URI,
         },
         mcpIssuerConfiguration.tokenEndpoint,
+        stateSessionKey,
       );
 
       req.encryptedSession.set('mcp_accessToken', callbackResult.accessToken);
diff --git a/server/routes/auth-onboarding.js b/server/routes/auth-onboarding.js
@@ -1,6 +1,8 @@
 import fp from 'fastify-plugin';
 import { AuthenticationError } from '../plugins/auth-utils.js';
 
+const stateSessionKey = 'oauthStateOnboarding';
+
 async function authPlugin(fastify) {
   const { OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPES, POST_LOGIN_REDIRECT } = fastify.config;
 
@@ -17,6 +19,7 @@ async function authPlugin(fastify) {
         scopes: OIDC_SCOPES,
       },
       issuerConfiguration.authorizationEndpoint,
+      stateSessionKey,
     );
 
     return reply.redirect(redirectUri);
@@ -31,6 +34,7 @@ async function authPlugin(fastify) {
           redirectUri: OIDC_REDIRECT_URI,
         },
         issuerConfiguration.tokenEndpoint,
+        stateSessionKey,
       );
 
       req.encryptedSession.set('onboarding_accessToken', callbackResult.accessToken);
