Skip to content

fix(x): use handlePkceVerifier for proper PKCE flow #482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
atinux merged 1 commit into from
Jan 13, 2026
Merged

fix(x): use handlePkceVerifier for proper PKCE flow #482

atinux merged 1 commit into from
Jan 13, 2026

Conversation

@JonZa
Copy link
Contributor

@JonZa JonZa commented Jan 2, 2026

Summary

The X OAuth handler was generating new PKCE values on every request via inline randomUUID() calls in the config defaults. This caused the token exchange to fail because the code_verifier didn't match the original code_challenge.

Changes:

  • Use handlePkceVerifier utility to persist verifier in cookie
  • Use S256 challenge method instead of plain (more secure)
  • Add proper state validation using handleState/handleInvalidState
  • Remove broken inline PKCE/state generation from authorizationParams
  • Ensure PKCE/state values can't be overridden by user config (spread authorizationParams before setting secure values)

Test plan

  • Complete X OAuth flow end-to-end
  • Verify nuxt-auth-pkce cookie is set on redirect and cleared on callback
  • Verify nuxt-auth-state cookie is set on redirect and cleared on callback
  • Test retry after user cancellation
  • Verify custom authorizationParams (e.g., prompt) still work

@JonZa
fix(x): use handlePkceVerifier for proper PKCE flow
d1a41c7 
The X OAuth handler was generating new PKCE values on every request via
inline randomUUID() calls in the config defaults. This caused the token
exchange to fail because the code_verifier didn't match the original
code_challenge.

This fix:
- Uses handlePkceVerifier utility to persist verifier in cookie
- Uses S256 challenge method instead of plain (more secure)
- Adds proper state validation using handleState/handleInvalidState
- Removes broken inline PKCE/state generation from authorizationParams
- Ensures PKCE/state values can't be overridden by user config
@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 13, 2026

Open in StackBlitz

npm i https://pkg.pr.new/atinux/nuxt-auth-utils@482

commit: d1a41c7

@atinux atinux merged commit df5c66e into atinux:main Jan 13, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@atinux atinux atinux approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JonZa @atinux