End of Toshl Oauth flow sometimes fails at the state parsing stage

[mzogheib]

Looks like the queryParams parser is not carrying out uri decoding properly but this only happens sometimes, e.g. = at the end of the base64 encoded string is returned as %25D or whatever.

Can recreate with the following state object
{id: "toshl", token: "z38ph0sozo"}

[mzogheib]

Is this related?
https://stackoverflow.com/questions/30106476/using-javascripts-atob-to-decode-base64-doesnt-properly-decode-utf-8-strings

[mzogheib]

Here's what's happening:

1. {id: "toshl", token: "z38ph0sozo"} is first Base 64 encoded to eyJpZCI6InRvc2hsIiwidG9rZW4iOiJ6MzhwaDBzb3pvIn0='. Note the = on the end, which is to pad the string to its required length
2. This Base 64 encoded value is then uriEncoded to be added as the state query param: encodeURIComponent('eyJpZCI6InRvc2hsIiwidG9rZW4iOiJ6MzhwaDBzb3pvIn0=') -> eyJpZCI6InRvc2hsIiwidG9rZW4iOiJ6MzhwaDBzb3pvIn0%3D. Note = is encoded as %3D
3. The final url that the user is redirected to is https://toshl.com/connect/app/?client_id=98e9ca50-9b4c-432d-88eb-68a13ac3dceb30e117cd-9614-464f-90af-58979a9e6c11&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000&state=eyJpZCI6InRvc2hsIiwidG9rZW4iOiJ6MzhwaDBzb3pvIn0%3D
4. On Toshl auth page, user authorises the app and is redirected back to http://localhost:3000/?code=a0452fb5-9e90-4c1c-b3a4-4a1abcc414509954826d-1089-48e0-ab5e-93be0ae1ec5a&state=eyJpZCI6InRvc2hsIiwidG9rZW4iOiJ6MzhwaDBzb3pvIn0%253D. Note %253D on the end. It appears Toshl is encoding the % to %25 in the state param it received.
5. Client then uriDecodes this the state param value, expecting it to be a Base 64 encoded string. decodeURIComponent('eyJpZCI6InRvc2hsIiwidG9rZW4iOiJ6MzhwaDBzb3pvIn0%253D') -> eyJpZCI6InRvc2hsIiwidG9rZW4iOiJ6MzhwaDBzb3pvIn0%3D.
6. This final value cannot be Base 64 decoded. The %3D breaks it.

[mzogheib]

The = is added to the end as a pad
https://stackoverflow.com/questions/4492426/remove-trailing-when-base64-encoding