State ID check in Hybrid flow is not accurate

[harjoben]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

The flow_hybrid.go has this check here for state where it assigns the value from the fosite.AuthorizeRequester if there is no state present in the response parameters.

if resp.GetParameters().Get("state") == "" {
        resp.AddParameter("state", ar.GetState())
}

But the check will misbehave if there is empty string passed in as "state". In that scenario, response parameter will have "state" with two empty strings as values. This will result in the redirect uri having duplicate state keys.

The above if statement should be changed to

if !resp.GetParameters().Has("state") {
        resp.AddParameter("state", ar.GetState())
}

Reproducing the bug

Pass in empty state in the authorize request

Relevant log output

The redirect uri will look something like:
ui/oidcclient/redirect#expires_in=7199&token_type=bearer&state=&state=&scope=openid%20profile&id_token=<id_token>&code=<code>&access_token=<access_token>

Relevant configuration

No response

Version

v0.41.0

On which operating system are you observing this issue?

No response

In which environment are you deploying?

No response

Additional Context

No response

[aeneasr]

Nice find, PRs appreciated :)

[james-d-elliott]

@aeneasr this was fixed by #670