auth-backend: Encode the OAuth state param using URL safe chars (#3281)

backstage · Nov 12, 2020 · 4628763 · 4628763
1 parent d5a2bf9
commit 4628763
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/.changeset/tidy-bobcats-prove.md b/.changeset/tidy-bobcats-prove.md
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-auth-backend': patch
+---
+
+Encode the OAuth state parameter using URL safe chars only, so that providers have an easier time forming the callback URL.
diff --git a/plugins/auth-backend/src/lib/oauth/helpers.ts b/plugins/auth-backend/src/lib/oauth/helpers.ts
@@ -19,7 +19,7 @@ import { OAuthState } from './types';
 
 export const readState = (stateString: string): OAuthState => {
   const state = Object.fromEntries(
-    new URLSearchParams(decodeURIComponent(stateString)),
+    new URLSearchParams(Buffer.from(stateString, 'hex').toString('utf-8')),
   );
   if (
     !state.nonce ||
@@ -40,7 +40,7 @@ export const encodeState = (state: OAuthState): string => {
   searchParams.append('nonce', state.nonce);
   searchParams.append('env', state.env);
 
-  return encodeURIComponent(searchParams.toString());
+  return Buffer.from(searchParams.toString(), 'utf-8').toString('hex');
 };
 
 export const verifyNonce = (req: express.Request, providerId: string) => {