generate fresh state uuid instead of lifting from ctx, as requestId is migrated to...

diff --git a/lib/session-manager.js b/lib/session-manager.js
index 9428203a9619243355f35fb0950f826b7b7db118..6af1017ad6c1d6a5bdfc3c7ca53fdb3d72e239ca 100644 (file)
--- a/lib/session-manager.js
+++ b/lib/session-manager.js
@@ -6,6 +6,7 @@
 
 const { Communication: IndieAuthCommunication } = require('@squeep/indieauth-helper');
 const { MysteryBox } = require('@squeep/mystery-box');
+const { randomUUID } = require('crypto');
 const common = require('./common');
 const Enum = require('./enum');
 const Template = require('./template');
@@ -180,9 +181,10 @@ class SessionManager {
       if (authorizationEndpoint) {
         const pkce = await IndieAuthCommunication.generatePKCE();
 
+        const state = randomUUID();
         session = {
           authorizationEndpoint: authorizationEndpoint.href,
-          state: ctx.requestId,
+          state,
           codeVerifier: pkce.codeVerifier,
           me,
           redirect,