fix: use opaque state parameter in OAuth authorization flow

src/auth/cloudflare-auth.ts

@@ -1,7 +1,5 @@
 import { z } from 'zod'
 
-import type { AuthRequest } from '@cloudflare/workers-oauth-provider'
-
 const PKCE_CHARSET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~'
 const CODE_VERIFIER_LENGTH = 96
 
@@ -44,15 +42,15 @@ export async function generatePKCECodes(): Promise<PKCECodes> {
 export async function getAuthorizationURL(params: {
   client_id: string
   redirect_uri: string
-  state: AuthRequest
+  stateToken: string
   scopes: string[]
   codeChallenge: string
 }): Promise<{ authUrl: string }> {
   const urlParams = new URLSearchParams({
     response_type: 'code',
     client_id: params.client_id,
     redirect_uri: params.redirect_uri,
-    state: btoa(JSON.stringify(params.state)),
+    state: params.stateToken,
     code_challenge: params.codeChallenge,
     code_challenge_method: 'S256',
     scope: params.scopes.join(' ')

src/auth/oauth-handler.ts

@@ -135,21 +135,15 @@ export async function handleTokenExchangeCallback(
  */
 async function redirectToCloudflare(
   requestUrl: string,
-  oauthReqInfo: AuthRequest,
   stateToken: string,
   codeChallenge: string,
   scopes: string[],
   additionalHeaders: Record<string, string> = {}
 ): Promise<Response> {
-  const stateWithToken: AuthRequest = {
-    ...oauthReqInfo,
-    state: stateToken
-  }
-
   const { authUrl } = await getAuthorizationURL({
     client_id: env.CLOUDFLARE_CLIENT_ID,
     redirect_uri: new URL('/oauth/callback', requestUrl).href,
-    state: stateWithToken,
+    stateToken,
     scopes,
     codeChallenge
   })
@@ -193,16 +187,9 @@ export function createAuthHandlers() {
         const stateToken = await createOAuthState(oauthReqInfo, env.OAUTH_KV, codeVerifier)
         const { setCookie: sessionCookie } = await bindStateToSession(stateToken)
 
-        return redirectToCloudflare(
-          c.req.url,
-          oauthReqInfo,
-          stateToken,
-          codeChallenge,
-          defaultScopes,
-          {
-            'Set-Cookie': sessionCookie
-          }
-        )
+        return redirectToCloudflare(c.req.url, stateToken, codeChallenge, defaultScopes, {
+          'Set-Cookie': sessionCookie
+        })
       }
 
       // Client not approved - show consent dialog with scope selection
@@ -263,7 +250,6 @@ export function createAuthHandlers() {
 
       const redirectResponse = await redirectToCloudflare(
         c.req.url,
-        oauthReqInfo,
         stateToken,
         codeChallenge,
         scopesToRequest

src/auth/workers-oauth-utils.ts

@@ -1101,17 +1101,7 @@ export async function validateOAuthState(
     throw new OAuthError('invalid_request', 'Missing state parameter')
   }
 
-  // Decode state to extract embedded stateToken
-  let stateToken: string
-  try {
-    const decodedState = JSON.parse(atob(stateFromQuery))
-    stateToken = decodedState.state
-    if (!stateToken) {
-      throw new Error('State token not found')
-    }
-  } catch {
-    throw new OAuthError('invalid_request', 'Failed to decode state')
-  }
+  const stateToken = stateFromQuery
 
   // Validate state exists in KV
   const storedDataJson = await kv.get(`oauth:state:${stateToken}`)