@@ -122,10 +122,13 @@ func (h *LoginHelper) ForceRefresh(t *testing.T, db database.Store, user *coders
122
122
// unit tests, it's easier to skip this step sometimes. It does make an actual
123
123
// request to the IDP, so it should be equivalent to doing this "manually" with
124
124
// actual requests.
125
- //
126
- // TODO: Is state param optional? Can we grab it from the authURL?
127
- func OAuth2GetCode (authURL string , state string , doRequest func (req * http.Request ) (* http.Response , error )) (string , error ) {
128
- r , err := http .NewRequestWithContext (context .Background (), http .MethodGet , authURL , nil )
125
+ func OAuth2GetCode (rawAuthURL string , doRequest func (req * http.Request ) (* http.Response , error )) (string , error ) {
126
+ authURL , err := url .Parse (rawAuthURL )
127
+ if err != nil {
128
+ return "" , xerrors
10000
span>.Errorf ("failed to parse auth URL: %w" , err )
129
+ }
130
+
131
+ r , err := http .NewRequestWithContext (context .Background (), http .MethodGet , rawAuthURL , nil )
129
132
if err != nil {
130
133
return "" , xerrors .Errorf ("failed to create auth request: %w" , err )
131
134
}
@@ -156,6 +159,7 @@ func OAuth2GetCode(authURL string, state string, doRequest func(req *http.Reques
156
159
return "" , xerrors .Errorf ("expected code in redirect location" )
157
160
}
158
161
162
+ state := authURL .Query ().Get ("state" )
159
163
newState := toURL .Query ().Get ("state" )
160
164
if newState != state {
161
165
return "" , xerrors .Errorf ("expected state %q, got %q" , state , newState )
0 commit comments