X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fsession-manager.js;h=cb4c7126ec54cffc18b1856270cd1112f5c60182;hb=681ff60618195ab6754e5b8718a32e53ab2222ec;hp=9428203a9619243355f35fb0950f826b7b7db118;hpb=392502c5cc0cb12cf3c00ecd06c5c69b3e00d7e3;p=squeep-authentication-module

diff --git a/lib/session-manager.js b/lib/session-manager.js
index 9428203..cb4c712 100644
--- a/lib/session-manager.js
+++ b/lib/session-manager.js
@@ -6,6 +6,7 @@
 
 const { Communication: IndieAuthCommunication } = require('@squeep/indieauth-helper');
 const { MysteryBox } = require('@squeep/mystery-box');
+const { randomUUID } = require('crypto');
 const common = require('./common');
 const Enum = require('./enum');
 const Template = require('./template');
@@ -22,8 +23,8 @@ class SessionManager {
    * @param {Number=} options.authenticator.inactiveSessionLifespanSeconds
    * @param {Boolean} options.authenticator.secureAuthOnly
    * @param {Object} options.dingus
-   * @param {Object} options.dingus.proxyPrefix
-   * @param {Object} options.dingus.selfBaseUrl
+   * @param {String} options.dingus.proxyPrefix
+   * @param {String} options.dingus.selfBaseUrl
    */
   constructor(logger, authenticator, options) {
     this.logger = logger;
@@ -139,13 +140,13 @@ class SessionManager {
     &&  me) {
       let profile;
       profile = await this.indieAuthCommunication.fetchProfile(me);
-      if ((!profile || !profile.metadata)
+      if ((!profile?.metadata)
       &&  meAutoScheme) {
         this.logger.debug(_scope, 'trying http fallback', { ctx });
         me.protocol = 'http';
         profile = await this.indieAuthCommunication.fetchProfile(me);
       }
-      if (!profile || !profile.metadata) {
+      if (!profile?.metadata) {
         this.logger.debug(_scope, 'failed to find any profile information at url', { ctx });
         ctx.errors.push(`No profile information was found at '${me}'.`);
       } else {
@@ -180,9 +181,10 @@ class SessionManager {
       if (authorizationEndpoint) {
         const pkce = await IndieAuthCommunication.generatePKCE();
 
+        const state = randomUUID();
         session = {
           authorizationEndpoint: authorizationEndpoint.href,
-          state: ctx.requestId,
+          state,
           codeVerifier: pkce.codeVerifier,
           me,
           redirect,