usebruno · m-schrepel · Apr 17, 2024 · Apr 17, 2024 · Apr 17, 2024 · Apr 17, 2024
diff --git a/packages/bruno-electron/src/ipc/network/authorize-user-in-window.js b/packages/bruno-electron/src/ipc/network/authorize-user-in-window.js
@@ -30,10 +30,12 @@ const authorizeUserInWindow = ({ authorizeUrl, callbackUrl, session }) => {
     });
 
     function onWindowRedirect(url) {
+      // The finalUrl should always be the callbackUrl.
+      const hasHitRedirectUrl = url.includes(callbackUrl);
       // check if the url contains an authorization code
-      if (new URL(url).searchParams.has('code')) {
+      if (hasHitRedirectUrl && new URL(url).searchParams.has('code')) {
         finalUrl = url;
-        if (!url || !finalUrl.includes(callbackUrl)) {
+        if (!url) {
           reject(new Error('Invalid Callback Url'));
         }
         window.close();

diff --git a/packages/bruno-electron/src/ipc/network/oauth2-helper.js b/packages/bruno-electron/src/ipc/network/oauth2-helper.js
@@ -7,20 +7,17 @@ const generateCodeVerifier = () => {
   return crypto.randomBytes(22).toString('hex');
 };
 
-const generateCodeChallenge = (codeVerifier) => {
-  const hash = crypto.createHash('sha256');
-  hash.update(codeVerifier);
-  const base64Hash = hash.digest('base64');
-  return base64Hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+const generateUniqueHash = (inputString) => {
+  return crypto.createHash('sha256').update(inputString).digest('base64url');
 };
 
 // AUTHORIZATION CODE
 
 const resolveOAuth2AuthorizationCodeAccessToken = async (request, collectionUid) => {
   let codeVerifier = generateCodeVerifier();
-  let codeChallenge = generateCodeChallenge(codeVerifier);
-
+  let codeChallenge = generateUniqueHash(codeVerifier);
   let requestCopy = cloneDeep(request);
+
   const { authorizationCode } = await getOAuth2AuthorizationCode(requestCopy, codeChallenge, collectionUid);
   const oAuth = get(requestCopy, 'oauth2', {});
   const { clientId, clientSecret, callbackUrl, scope, pkce } = oAuth;
@@ -47,21 +44,23 @@ const getOAuth2AuthorizationCode = (request, codeChallenge, collectionUid) => {
   return new Promise(async (resolve, reject) => {
     const { oauth2 } = request;
     const { callbackUrl, clientId, authorizationUrl, scope, pkce } = oauth2;
+    const oauth2Store = new Oauth2Store();
+    const state = generateUniqueHash(oauth2Store.getSessionIdOfCollection(collectionUid));
 
     let oauth2QueryParams =
       (authorizationUrl.indexOf('?') > -1 ? '&' : '?') + `client_id=${clientId}&response_type=code`;
+
     if (callbackUrl) {
       oauth2QueryParams += `&redirect_uri=${callbackUrl}`;
     }
     if (scope) {
       oauth2QueryParams += `&scope=${scope}`;
     }
     if (pkce) {
-      oauth2QueryParams += `&code_challenge=${codeChallenge}&code_challenge_method=S256`;
+      oauth2QueryParams += `&code_challenge=${codeChallenge}&code_challenge_method=S256&state=${state}`;
     }
     const authorizationUrlWithQueryParams = authorizationUrl + oauth2QueryParams;
     try {
-      const oauth2Store = new Oauth2Store();
       const { authorizationCode } = await authorizeUserInWindow({
         authorizeUrl: authorizationUrlWithQueryParams,
         callbackUrl,