fix: verify state parameter and specify node v20 in .nvmrc for crypto

vardario · Apr 10, 2024 · b185009 · b185009
1 parent 019c0e9
commit b185009
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 3 deletions.
diff --git a/.nvmrc b/.nvmrc
@@ -0,0 +1 @@
+20
diff --git a/package.json b/package.json
@@ -27,6 +27,7 @@
   "devDependencies": {
     "@aws-sdk/client-cognito-identity-provider": "^3.465.0",
     "@types/jsdom": "^21.1.5",
+    "@types/node": "^20",
     "@typescript-eslint/eslint-plugin": "^6.11.0",
     "@typescript-eslint/parser": "^6.11.0",
     "esbuild": "^0.20.2",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/cognito-client.ts b/src/cognito-client.ts
@@ -883,19 +883,22 @@ export class CognitoClient {
    *
    * @throws {Error}
    */
-  async handleCodeFlow(returnUrl: string, pkce: string): Promise<Session> {
+  async handleCodeFlow(returnUrl: string, pkce: string, state: string): Promise<Session> {
     if (this.oAuth === undefined) {
       throw Error('You have to define oAuth options to use handleCodeFlow');
     }
 
     const url = new URL(returnUrl);
     const code = url.searchParams.get('code');
-    const state = url.searchParams.get('state');
 
-    if (code === null || state === null) {
+    if (code === null) {
       throw Error('code or state parameter is missing from return url.');
     }
 
+    if (url.searchParams.get('state') !== state) {
+      throw Error('State parameter does not match.');
+    }
+
     const urlParams = new URLSearchParams();
 
     urlParams.append('grant_type', 'authorization_code');