tksadik92/wrenn-releases
1
0
Fork 0
forked from wrenn/wrenn
Code Pull Requests Activity

fix: OAuth ConnectProvider state HMAC format mismatch

Browse Source 
ConnectProvider computed HMAC over bare state, but Callback always
verifies HMAC(state+":"+intent). This caused the account-linking
flow to always fail with invalid_state.
This commit is contained in:
Rafeed M. Bhuiyan
2026-04-25 02:00:39 +06:00
parent 339cd7bee1
commit 5e13879954
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/api/handlers_me.go
View File

@ -404,10 +404,10 @@ func (h *meHandler) ConnectProvider(w http.ResponseWriter, r *http.Request) {
return
}
mac := computeHMAC(h.jwtSecret, state)
mac := computeHMAC(h.jwtSecret, state+":"+"login")
http.SetCookie(w, &http.Cookie{
Name: "oauth_state",
Value: state + ":" + mac,
Value: state + ":" + mac + ":" + "login",
Path: "/",
MaxAge: 600,
HttpOnly: true,