fix(proxy): improve redirect proxy logic (#11517)

* refactor(proxy): improve redirect proxy code

* match name

* correct comment

* remove unused type import

* improve

* more cleanups

* simplify

* simpler

* refactor

* simplify

* more

* forward all params

* add/fix tests

* fix comment

* drop .only

* add comment

packages/core/src/jwt.ts

@@ -71,7 +71,7 @@ export async function encode<Payload = JWT>(params: JWTEncodeParams<Payload>) {
     .encrypt(encryptionSecret)
 }
 
-/** Decodes a Auth.js issued JWT. */
+/** Decodes an Auth.js issued JWT. */
 export async function decode<Payload = JWT>(
   params: JWTDecodeParams
 ): Promise<Payload | null> {

packages/core/src/lib/actions/callback/index.ts

@@ -10,7 +10,7 @@ import {
 } from "../../../errors.js"
 import { handleLoginOrRegister } from "./handle-login.js"
 import { handleOAuth } from "./oauth/callback.js"
-import { handleState } from "./oauth/checks.js"
+import { state } from "./oauth/checks.js"
 import { createHash } from "../../utils/web.js"
 
 import type { AdapterSession } from "../../../adapters.js"
@@ -57,28 +57,33 @@ export async function callback(
   try {
     if (provider.type === "oauth" || provider.type === "oidc") {
       // Use body if the response mode is set to form_post. For all other cases, use query
-      const payload =
+      const params =
         provider.authorization?.url.searchParams.get("response_mode") ===
         "form_post"
           ? body
           : query
 
-      const { proxyRedirect, randomState } = handleState(
-        payload,
-        provider,
-        options.isOnRedirectProxy
-      )
-
-      if (proxyRedirect) {
-        logger.debug("proxy redirect", { proxyRedirect, randomState })
-        return { redirect: proxyRedirect }
+      // If we have a state and we are on a redirect proxy, we try to parse it
+      // and see if it contains a valid origin to redirect to. If it does, we
+      // redirect the user to that origin with the original state.
+      if (options.isOnRedirectProxy && params?.state) {
+        // NOTE: We rely on the state being encrypted using a shared secret
+        // between the proxy and the original server.
+        const parsedState = await state.decode(params.state, options)
+        const shouldRedirect =
+          parsedState?.origin &&
+          new URL(parsedState.origin).origin !== options.url.origin
+        if (shouldRedirect) {
+          const proxyRedirect = `${parsedState.origin}?${new URLSearchParams(params)}`
+          logger.debug("Proxy redirecting to", proxyRedirect)
+          return { redirect: proxyRedirect, cookies }
+        }
       }
 
       const authorizationResult = await handleOAuth(
-        payload,
+        params,
         request.cookies,
-        options,
-        randomState
+        options
       )
 
       if (authorizationResult.cookies.length) {

packages/core/src/lib/actions/callback/oauth/callback.ts

@@ -28,10 +28,9 @@ import { isOIDCProvider } from "../../../utils/providers.js"
  * we fetch it anyway. This is because we always want a user profile.
  */
 export async function handleOAuth(
-  query: RequestInternal["query"],
+  params: RequestInternal["query"],
   cookies: RequestInternal["cookies"],
-  options: InternalOptions<"oauth" | "oidc">,
-  randomState?: string
+  options: InternalOptions<"oauth" | "oidc">
 ) {
   const { logger, provider } = options
   let as: o.AuthorizationServer
@@ -78,17 +77,12 @@ export async function handleOAuth(
 
   const resCookies: Cookie[] = []
 
-  const state = await checks.state.use(
-    cookies,
-    resCookies,
-    options,
-    randomState
-  )
+  const state = await checks.state.use(cookies, resCookies, options)
 
   const codeGrantParams = o.validateAuthResponse(
     as,
     client,
-    new URLSearchParams(query),
+    new URLSearchParams(params),
     provider.checks.includes("state") ? state : o.skipStateCheck
   )