generate fresh state uuid instead of lifting from ctx, as requestId is migrated to...

[squeep-authentication-module] / lib / session-manager.js

diff --git a/lib/session-manager.js b/lib/session-manager.js
index a0bea6a94ce46ae4ec785f8fdabd796b7d8ab881..6af1017ad6c1d6a5bdfc3c7ca53fdb3d72e239ca 100644 (file)
--- a/lib/session-manager.js
+++ b/lib/session-manager.js
@@ -6,6 +6,7 @@
 
 const { Communication: IndieAuthCommunication } = require('@squeep/indieauth-helper');
 const { MysteryBox } = require('@squeep/mystery-box');
+const { randomUUID } = require('crypto');
 const common = require('./common');
 const Enum = require('./enum');
 const Template = require('./template');
@@ -30,7 +31,8 @@ class SessionManager {
     this.authenticator = authenticator;
     this.options = options;
     this.indieAuthCommunication = new IndieAuthCommunication(logger, options);
-    this.mysteryBox = new MysteryBox(logger, options);
+    this.mysteryBox = new MysteryBox(options);
+    this.mysteryBox.on('statistics', common.mysteryBoxLogger(logger, _fileScope(this.constructor.name)));
 
     this.cookieLifespan = options.authenticator.inactiveSessionLifespanSeconds || 60 * 60 * 24 * 32;
   }
@@ -179,9 +181,10 @@ class SessionManager {
       if (authorizationEndpoint) {
         const pkce = await IndieAuthCommunication.generatePKCE();
 
+        const state = randomUUID();
         session = {
           authorizationEndpoint: authorizationEndpoint.href,
-          state: ctx.requestId,
+          state,
           codeVerifier: pkce.codeVerifier,
           me,
           redirect,