From 5e13879954a5b3cf9b0381ea1a6c2e210b8ee489 Mon Sep 17 00:00:00 2001 From: pptx704 Date: Sat, 25 Apr 2026 02:00:39 +0600 Subject: [PATCH] fix: OAuth ConnectProvider state HMAC format mismatch ConnectProvider computed HMAC over bare state, but Callback always verifies HMAC(state+":"+intent). This caused the account-linking flow to always fail with invalid_state. --- internal/api/handlers_me.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/api/handlers_me.go b/internal/api/handlers_me.go index fefd041..194087c 100644 --- a/internal/api/handlers_me.go +++ b/internal/api/handlers_me.go @@ -404,10 +404,10 @@ func (h *meHandler) ConnectProvider(w http.ResponseWriter, r *http.Request) { return } - mac := computeHMAC(h.jwtSecret, state) + mac := computeHMAC(h.jwtSecret, state+":"+"login") http.SetCookie(w, &http.Cookie{ Name: "oauth_state", - Value: state + ":" + mac, + Value: state + ":" + mac + ":" + "login", Path: "/", MaxAge: 600, HttpOnly: true,